Ransomware group uses new zero-day to steal data on 1 million patients

Prolific ransomware the operation is back with old tricks — and new victims.

Community Health Systems (CHS), one of the largest healthcare providers in the United States with nearly 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to one million patients.

The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stemmed from its use of popular file transfer software called GoAnywhere MFT, developed by Fortra (formerly HelpSystems), which is used by large companies to share use and secure transmission of large data sets. Community Health Systems said Fortra recently notified it of a security incident that resulted in the unauthorized disclosure of patient data.

“Due to the security breach experienced by Fortra, the Fortra attacker exposed the protected health information and personal information of certain patients of the company’s affiliates,” according to Community Health Systems’ filing, which was first spotted by DataBreaches.net. The healthcare giant added that it would offer identity theft protection services and notify all affected individuals whose information was exposed, but said there was no significant disruption to patient care.

CHS did not say what types of data were exposed, and a spokesperson has yet to respond to questions from Root Devices. This is CHS’s second known patient data breach in recent years.

Russian-linked extortion gang Clop has claimed responsibility for the new zero-day exploit in a new hacking campaign and claims to have already hacked more than a hundred organizations using Fortra’s file transfer technology – including CHS.

While CHS was quick to come forward as a victim, Clop’s claim suggests there could be dozens more affected organizations — and if you’re one of the thousands of GoAnywhere users, your business could be among them. Thankfully, security experts have shared a ton of information about the zero-day and what you can do to protect against it.

What is the GoAnywhere vulnerability?

Details of the zero-day vulnerability in Fortra’s GoAnywhere software — tracked as CVE-2023-0669 — were first flagged by security journalist Brian Krebs on February 2. In a post on Mastodon, Krebs shared the full text of Fortra’s security advisory, issued the day before, which is not accessible from its public website. Instead, users had to create a Fortra account to access the vulnerability report, a move heavily criticized by cybersecurity experts.

“A zero-day remote code injection exploit has been identified in GoAnywhere MFT,” Fortra said in its hidden advisory. “The attack vector of this exploit requires access to the application’s administrative console, which in most cases is only accessible from a private company network, via a VPN, or with permissioned IP addresses (when running in cloud environments such as Azure or AWS).”

In a technical analysis of the flaw published on February 7, cybersecurity firm Rapid7 described the exploitability of the bug — and the value to the attacker — as “very high” given the sensitivity of the data companies send through GoAnywhere.

Security researchers were quick to compare the vulnerability to an earlier zero-day flaw that affected Accellion’s now-defunct legacy File Transfer Appliance (FTA), which, like GoAnywhere, allowed organizations to securely share sensitive data sets. In 2020, the Clop ransomware gang was found exploiting the Accellion flaw to hack into a number of organizations, including Qualys, Shell, the University of Colorado, Kroger, and Morgan Stanley.

Now, the Clop ransomware gang, which recently made headlines with its new version of Linux, has told Bleeping Computer that it has already exploited the GoAnywhere vulnerability to steal data from more than 130 organizations. Clop has provided no evidence for his claim, and at the time of this writing, Clop’s dark web does not mention either Fortra or GoAnywhere.

Fortra did not respond to questions from Root Devices.

Should I be worried?

Concerns about the possibility of exploiting the GoAnywhere vulnerability were not exaggerated.

Cybersecurity firm Huntress reported last week that it was investigating a hack into a customer’s network that involved a GoAnywhere zero-day exploit. Huntress linked the hack to a Russian-speaking threat actor it calls “Silence,” which has ties to another group called TA505, a criminal hacking group active since at least 2016 known for targeted campaigns that include the deployment of ransomware of Clop equipment.

“Based on the actions observed and previous reports, we can conclude with moderate certainty that the activity observed by Huntress was aimed at deploying ransomware, with the potential additional opportunistic exploitation of GoAnywhere MFT for the same purpose,” said Joe Slowik, Chief Intelligence Officer about threats in hunting.

Huntress said he expects “broader activity” now that the GoAnywhere zero-day exploit is being actively exploited, in part due to the vulnerability’s simplicity.

Security patches are available

On February 7, Fortra released an emergency patch – version 7.1.2 – and urged all GoAnywhere customers to apply the patch as soon as possible. “Especially for customers running an admin portal exposed to the Internet, we believe this is an urgent matter,” the company said.

The U.S. cybersecurity agency CISA, meanwhile, added the GoAnywhere flaw to its public catalog of known exploited vulnerabilities and ordered all federal civilian executive branch agencies to patch their systems before March 3.


Leave a Comment