• About Us
  • Contact Us
  • Editorial Calendar
  • Careers
  • The Cyber Express by Cyble Vulnerability Disclosure Policy
  • Cyble Trust Portal
The Cyber Express
  • MagazineDownload
  • Firewall Daily
    • All
    • Bug Bounty & Rewards
    • Dark Web News
    • Data Breach News
    • Hacker News
    • Ransomware News
    • Vulnerabilities
    EU-US Data Privacy Framework

    EU-US Data Privacy Framework Under Threat After Supreme Court Ruling

    Japan cyberattacks

    Japan’s Aflac, KDDI, Sapporo, Nidec: Four Breaches, One Common Entry Point

    Scattered Spider

    Alleged Scattered Spider Member Arrested in Finland, Extradited to U.S.

    AI Cyber Attacks

    AI Cyber Attacks Emerge as Biggest Threat to Indian Banking: RBI

    Apple Security Update

    Apple Security Update Patches 30+ Vulnerabilities in iOS 26.5.2

    Seized Crypto Assets

    Ukraine Makes History With First $8.3M Seized Crypto Transfer to ARMA

    Illegal World Cup Streaming Domains

    U.S. Seizes Nearly 400 Illegal FIFA World Cup Streaming Domains

    Operation Endgame Disrupts SocGholish

    Operation Endgame Disrupts SocGholish, StealC Malware Networks

    UAE Cybersecurity Council

    UAE Cybersecurity Council Calls for Stronger Digital Footprint Protection

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    FBI Warns of Malicious Traffic

    FBI Warns of a Hidden Web Tactic Fueling Phishing and Ransomware

    Ukraine Joins EU Cybersecurity Reserve

    What Ukraine’s Entry Into the EU Cybersecurity Reserve Means

    UK social media ban

    UK Social Media Ban for Under-16s Could Take Effect by Spring 2027

    Ransomware Preparedness

    Ransomware Preparedness Must Be a Boardroom Priority: NCSC Chief

    AI legal assistants

    AI Heads to UK Courts, Bringing New Cybersecurity and Governance Challenges

    VerdantBamboo

    China’s VerdantBamboo Experimented With Three Re-Entries and Three Malware in a Company Network

    Crypto Scam, Crypto

    New Threat Actor Targets Crypto Firms’ Development Infrastructure

    Pink, Pink Extortion, CL-CRI-1147

    Pink Extortion Group Emerges Targeting Microsoft 365 Data

    AI-Powered Bots

    AI-Powered Bots Are Blurring the Line Between Users and Cyber Threats

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
    • All
    • How to
    • What is
    Google Chrome

    How to Remove Saved Passwords From Google Chrome (And Why You Should)

    DPDP Rules, Cyble, DPDP Act, Cyble Vantage

    How Cyble’s Front-Row Vantage Can Help You in Complying to India’s DPDP Act

    Cybersecurity Countries

    The Top 8 Countries Leading the Cyber Defense Race in 2025

    link building

    The Link Building Secrets Your Competitors Don’t Want You to Know

    Supply Chain Attack

    Supply Chain Resilience and Physical Security: Lessons for 2025

    Healthcare cybersecurity trends of 2024

    Healthcare Cybersecurity: 2024 Was Tough, 2025 May Be Better

    CEO's Guide to Take-Down Services

    Shield Your Organization: CEO’s Perspective on Take-Down Services

    Azure sign-in Microsoft

    Microsoft Announces Mandatory MFA for Azure Sign-ins to Bolster Cloud Defenses

    Signal Proxy, Signal, Signal Ban in Russia, Signal Ban in Venezuela, Bypass Signal Ban, How to Activate Signal Proxy, Signal Proxy Server

    How to Set Up Signal Proxy to Help Bypass Censorship in Russia and Venezuela

  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    Sunil Varkey

    Sunil Varkey Joins Hexaware Technologies as EVP & CISO

    AI Chip, Chip Security Act

    Congress Wants a GPS Tracker on Every Advanced AI Chip America Exports

    Fraud, Agentic AI, AI-assisted Cyberattacks

    Agentic AI Run Fraud Campaigns Earning 4.5 Times More: Interpol

    Stryker, Stryker Cyberattack, CISA, Handala

    Stryker Says Cyberattack Disrupted Processing, Manufacturing and Shipping

    INC Ransom, Western Critical Infrastructure, Critical infrastructure, Russian GRU, Russian Threat Actor, Sandworm, APT44, Energy Supply Chain, Energy Infrastructure

    INC Ransom’s Franchise Model Is Putting Critical Infrastructure on the Chopping Block

    Terrorist Cyberattacks, UAE Cyber Security Council

    UAE Blocked AI-Powered Terrorist Cyberattacks Targeting Critical Infrastructure

    Eurail Breach, Eurail

    Eurail Breach Escalates as Stolen Passport Data and IBANs Surface on Dark Web for Sale

    Discord teen-by-default settings

    Discord Introduces Stronger Teen Safety Controls Worldwide

    The Cyber Express cybersecurity roundup

    The Cyber Express Weekly Roundup: FortiOS Exploits, Ransomware, Hacktivist Surge, and EU Telecom Rules

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board
No Result
View All Result
  • MagazineDownload
  • Firewall Daily
    • All
    • Bug Bounty & Rewards
    • Dark Web News
    • Data Breach News
    • Hacker News
    • Ransomware News
    • Vulnerabilities
    EU-US Data Privacy Framework

    EU-US Data Privacy Framework Under Threat After Supreme Court Ruling

    Japan cyberattacks

    Japan’s Aflac, KDDI, Sapporo, Nidec: Four Breaches, One Common Entry Point

    Scattered Spider

    Alleged Scattered Spider Member Arrested in Finland, Extradited to U.S.

    AI Cyber Attacks

    AI Cyber Attacks Emerge as Biggest Threat to Indian Banking: RBI

    Apple Security Update

    Apple Security Update Patches 30+ Vulnerabilities in iOS 26.5.2

    Seized Crypto Assets

    Ukraine Makes History With First $8.3M Seized Crypto Transfer to ARMA

    Illegal World Cup Streaming Domains

    U.S. Seizes Nearly 400 Illegal FIFA World Cup Streaming Domains

    Operation Endgame Disrupts SocGholish

    Operation Endgame Disrupts SocGholish, StealC Malware Networks

    UAE Cybersecurity Council

    UAE Cybersecurity Council Calls for Stronger Digital Footprint Protection

    Trending Tags

    • blackbyte ransomware
    • Ransomware
    • lapsus$ ransomware
    • Apple
    • Apple vulnerability
  • Essentials
    • All
    • Compliance
    • Governance
    • Policy Updates
    • Regulations
    FBI Warns of Malicious Traffic

    FBI Warns of a Hidden Web Tactic Fueling Phishing and Ransomware

    Ukraine Joins EU Cybersecurity Reserve

    What Ukraine’s Entry Into the EU Cybersecurity Reserve Means

    UK social media ban

    UK Social Media Ban for Under-16s Could Take Effect by Spring 2027

    Ransomware Preparedness

    Ransomware Preparedness Must Be a Boardroom Priority: NCSC Chief

    AI legal assistants

    AI Heads to UK Courts, Bringing New Cybersecurity and Governance Challenges

    VerdantBamboo

    China’s VerdantBamboo Experimented With Three Re-Entries and Three Malware in a Company Network

    Crypto Scam, Crypto

    New Threat Actor Targets Crypto Firms’ Development Infrastructure

    Pink, Pink Extortion, CL-CRI-1147

    Pink Extortion Group Emerges Targeting Microsoft 365 Data

    AI-Powered Bots

    AI-Powered Bots Are Blurring the Line Between Users and Cyber Threats

    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
    • All
    • How to
    • What is
    Google Chrome

    How to Remove Saved Passwords From Google Chrome (And Why You Should)

    DPDP Rules, Cyble, DPDP Act, Cyble Vantage

    How Cyble’s Front-Row Vantage Can Help You in Complying to India’s DPDP Act

    Cybersecurity Countries

    The Top 8 Countries Leading the Cyber Defense Race in 2025

    link building

    The Link Building Secrets Your Competitors Don’t Want You to Know

    Supply Chain Attack

    Supply Chain Resilience and Physical Security: Lessons for 2025

    Healthcare cybersecurity trends of 2024

    Healthcare Cybersecurity: 2024 Was Tough, 2025 May Be Better

    CEO's Guide to Take-Down Services

    Shield Your Organization: CEO’s Perspective on Take-Down Services

    Azure sign-in Microsoft

    Microsoft Announces Mandatory MFA for Azure Sign-ins to Bolster Cloud Defenses

    Signal Proxy, Signal, Signal Ban in Russia, Signal Ban in Venezuela, Bypass Signal Ban, How to Activate Signal Proxy, Signal Proxy Server

    How to Set Up Signal Proxy to Help Bypass Censorship in Russia and Venezuela

  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • All
    • Appointments
    • Budgets
    • Mergers & Aquisitions
    • Partnerships
    • Press Release
    • Startups
    Sunil Varkey

    Sunil Varkey Joins Hexaware Technologies as EVP & CISO

    AI Chip, Chip Security Act

    Congress Wants a GPS Tracker on Every Advanced AI Chip America Exports

    Fraud, Agentic AI, AI-assisted Cyberattacks

    Agentic AI Run Fraud Campaigns Earning 4.5 Times More: Interpol

    Stryker, Stryker Cyberattack, CISA, Handala

    Stryker Says Cyberattack Disrupted Processing, Manufacturing and Shipping

    INC Ransom, Western Critical Infrastructure, Critical infrastructure, Russian GRU, Russian Threat Actor, Sandworm, APT44, Energy Supply Chain, Energy Infrastructure

    INC Ransom’s Franchise Model Is Putting Critical Infrastructure on the Chopping Block

    Terrorist Cyberattacks, UAE Cyber Security Council

    UAE Blocked AI-Powered Terrorist Cyberattacks Targeting Critical Infrastructure

    Eurail Breach, Eurail

    Eurail Breach Escalates as Stolen Passport Data and IBANs Surface on Dark Web for Sale

    Discord teen-by-default settings

    Discord Introduces Stronger Teen Safety Controls Worldwide

    The Cyber Express cybersecurity roundup

    The Cyber Express Weekly Roundup: FortiOS Exploits, Ransomware, Hacktivist Surge, and EU Telecom Rules

    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board
No Result
View All Result
The Cyber Express
No Result
View All Result
Home Features

What Can an IT Vulnerability Cause? A Global Ransomware Attack!

A vulnerability in managed file transfer (MFT) software GoAnywhere, which serves more than 3,000 organizations across the world, opened the biggest stream of ransomware attacks in Q1, 2023

Chandu Gopalakrishnan by Chandu Gopalakrishnan
October 23, 2025
in Features, Firewall Daily
0
Ransomware Attack
672
SHARES
3.7k
VIEWS
Share on LinkedInShare on Twitter

The crisis began in the form of a vulnerability notification.  

On February 2, 2023, CHSPSC, the US-based management company that provides services to many subsidiary hospital operator companies and other affiliates of American healthcare major Community Health Systems, received an alert from IT vendor, Fortra. 

On January 28, something unexpected happened at Fortra — a cyber incident that led to the leak of personal information without authorization. People were confused and concerned about what happened, and no one knew how it happened or who was responsible. 

However, on January 30, 2023, Fortra found out that the cause of the incident was a vulnerability in its popular data transfer software GoAnywhere, which organizations worldwide use. 

CHSPSC was one of the earliest among Fortra clients, followed by thousands across the globe, to receive a vulnerability alert. 

“According to Fortra, the unauthorized party used a previously unknown vulnerability to gain access to Fortra’s systems, specifically Fortra’s GoAnywhere file transfer service platform, compromising sets of files throughout Fortra’s platform,” said a disclosure filed by CHSPSC at the Maine Attorney General’s Office, USA, on March 8. 

report-ad-banner

Coincidentally, Security reporter Brian Krebs too reported the details of the GoAnywhere vulnerability on February 2.  

Fortra eventually released patches for the GoAnywhere vulnerability on February 7, but the five-day gap was enough for hackers to go on a rampage.  

The group that caused the biggest damage was a ransomware gang named Clop, which stylizes its name as “Cl0p”. 

GoAnywhere and the popularity bane 

Managed File Transfer (MFT) software GoAnywhere enables businesses to securely and compliantly manage and exchange files.  

The software is designed for large organizations with over 10,000 employees and at least $1 billion in revenue, serving more than 3,000 such organizations, according to its website. 

“Some of these organizations are part of vital infrastructures, such as local governments, financial companies, healthcare organizations, energy firms; and technology manufacturers. A breach resulting from a GoAnywhere exploitation would lead to a serious supply chain attack,” warned MalwarebytesLabs threat assessment report on February 8. 

“GoAnywhere has a diverse install base ranging from small companies to Fortune 500 companies, as well as non-profit organizations and government entities,” read the statement on the website of its parent company Fortra. 

The popularity quickly became a bane for the company.  

Along with alerting the customers and assuring that their data was safe, Fortra collaborated with the Cybersecurity and Infrastructure Security Agency, USA, to assess the GoAnywhere vulnerability. CISA added the bug to its list of “must-patch” vulnerabilities on February 6. 

“Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2,” said the CISA alert. 

The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS),” said the GoAnywhere advisory issued to Fortra customers. 

However, a search conducted on Shodan, an engine that scans for internet-connected devices, found approximately 1000 exposed GoAnywhere admin panels. The majority of these panels were discovered in Europe and the US. 

It’s a known fact that threat actors keep a tab on vulnerability disclosures and are quick to weaponize them. The early bird that caught the proverbial worm was Cl0p. Only this time, it wasn’t a mere catch but a trawl across the world. 

GoAnywhere: Cl0p just did that! 

ransomware attack
One of the latest victims to disclose the ransomware attack, and probably the biggest in the list, was global consumer goods giant P&G.

Days after Fortra issued the patch, Clop ransomware declared that they were actively tapping the vulnerability.  

According to Clop, they stole data from over 130 organizations over the course of ten days, from compromised GoAnywhere MFT servers. 

Then the gang began naming victims, and disclosures followed. 

Cybersecurity company Rubrik conceded on 14 March that its data was stolen using the GoAnywhere bug. The disclosure came hot on the heels of a post on the Cl0p ransomware leak site, naming the company as a victim. 

Hitachi Energy, one of the high-profile victims, was among the earlier victims to name the ransomware actor in its disclosure. 

“We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorized access to employee data in some countries,” read the company’s statement on March 17.  

That too came after the Japanese multinational conglomerate was named and shamed on the Cl0p leak site. 

One of the latest victims to disclose the ransomware attack, and probably the biggest in the list, was global consumer goods giant P&G.  

About two dozen of P&G’s brands are billion-dollar sellers, including Always, Braun, Crest, Fusion, Gillette, Head & Shoulders, Mach3, Olay, Oral-B, and Pantene. 

In response to a query by The Cyber Express, P&G confirmed that it was one of the many companies affected by Fortra’s GoAnywhere incident. However, at this time, there is no indication that customer data was affected by the issue. 

“As part of this incident, an unauthorized third party obtained some information about P&G employees. The data that was obtained by the unauthorized party did not include information such as Social Security numbers or national identification numbers, credit card details, or bank account information,” a company spokesperson said.  

“When we learned of this incident in early February, we promptly investigated the nature and scope of the issue, disabled use of the vendor’s services, and notified employees. Our business operations are continuing as normal,” the spokesperson added. 

The disclosure, of course, came after being listed on the leak site. 

GoAnywhere and Cl0p: Connection established

Ransomware Attack
Ransomware Attack 2023: Days after Fortra issued the patch, Clop ransomware declared that they were actively tapping the vulnerability.

Huntress Threat Intelligence Manager Joe Slowik linked the GoAnywhere MFT attacks to the threat group TA505, known for deploying Clop ransomware.  

He investigated an attack where the TrueBot malware downloader was deployed and concluded that there was a moderate likelihood that the activity was intended to deploy ransomware, with opportunistic exploitation of GoAnywhere MFT for the same purpose. 

“While Huntress was able to identify and contain this infection event before further adversary actions could take place, enough bits of information are available to arrive at some plausible theories on responsibility,” Slowik wrote in a threat assessment blog published on February 8. 

“As previously mentioned, Truebot is linked to a group referred to as Silence. As reported by the French CERT, Silence has been active in some form since 2016, with Truebot serving as an initial access, post-compromise tool for the entity’s operations.” 

According to Slowik, while the links are not authoritative, the analysis of Truebot activity and deployment mechanisms suggests that there are connections to a group referred to as TA505.  

Distributors of a ransomware family known as Clop have reported that Silence/Truebot activity links to TA505 operations, he added.  

Based on previous reporting and observed actions, he concluded that Huntress’s observations indicate that the activity was likely intended to deploy ransomware, with the potential for additional opportunistic exploitation of GoAnywhere MFT for the same purpose. 

In all, the ransomware gang claims that it has hit more than 130 victims by exploiting the zero-day vulnerability. 

The victim list is still burgeoning. Going by the indications, the crisis is highly likely to spill over to the second quarter of the year. 

Share this:

  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Reddit (Opens in new window) Reddit
  • Share on X (Opens in new window) X
  • Share on Facebook (Opens in new window) Facebook
  • More
  • Email a link to a friend (Opens in new window) Email
  • Share on WhatsApp (Opens in new window) WhatsApp

Related

Tags: GoAnywhere data breachransomware attack
Previous Post

Pakistan Cyber Attack, Team UCC Claims to Take Down Pakistan International Airlines

Next Post

The Five Steps of a Cyber Incident Response Communication Plan

Next Post
The Five Steps of a Cyber Incident Response Communication Plan

The Five Steps of a Cyber Incident Response Communication Plan

Q1 2026 Threat Reports

❮ ❯
Cyble-Vision


Follow Us On Google News

Latest Cyber News

EU-US Data Privacy Framework
Cyber News

EU-US Data Privacy Framework Under Threat After Supreme Court Ruling

July 3, 2026
Japan cyberattacks
Cyber News

Japan’s Aflac, KDDI, Sapporo, Nidec: Four Breaches, One Common Entry Point

July 2, 2026
Scattered Spider
Cyber News

Alleged Scattered Spider Member Arrested in Finland, Extradited to U.S.

July 2, 2026
AI Cyber Attacks
Cyber News

AI Cyber Attacks Emerge as Biggest Threat to Indian Banking: RBI

July 1, 2026

Categories

Web Stories

Do This on Telegram, Your Bank Account Will Become Zero
Do This on Telegram, Your Bank Account Will Become Zero
If You Install the iOS 18 Beta, Your iPhone Could Be Hacked
If You Install the iOS 18 Beta, Your iPhone Could Be Hacked
Cricket World Cup Ticketing Systems Under Cybersecurity
Cricket World Cup Ticketing Systems Under Cybersecurity
Cyber Threats and Online Ticket Scams During the NBA Finals
Cyber Threats and Online Ticket Scams During the NBA Finals
Biometric Data Security: Protecting Sensitive Information
Biometric Data Security: Protecting Sensitive Information

About

The Cyber Express

#1 Trending Cybersecurity News and Magazine

The Cyber Express is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.

 

Contact

For editorial queries: [email protected]

For marketing and Sales: [email protected]

 

Quick Links

  • About Us
  • Contact Us
  • Editorial Calendar
  • Careers
  • The Cyber Express by Cyble Vulnerability Disclosure Policy
  • Cyble Trust Portal

Our Address

We’re remote friendly, with office locations around the world:

San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad,  Singapore, Jakarta, Sydney, and Melbourne

 

Headquarters:

The Cyber Express LLC
10080 North Wolfe Road, Suite SW3-200, Cupertino, CA, US 95014

 

India Office:

Cyber Express Media Network
HD-021, 4th Floor, C Wing, Building No.4. Nesco IT Park, WE Highway, Goregaon East, Mumbai, Maharashtra, India – 4000063

  • Privacy Statement
  • Terms of Use
  • Write For Us

© 2026 The Cyber Express - Cybersecurity News and Magazine.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Magazine
  • Firewall Daily
  • Essentials
    • Regulations
    • Compliance
    • Governance
    • Policy Updates
  • Knowledge Hub
  • Features
    • Cyber Warfare
    • Espionage
    • Workforce
      • Learning & Development
  • Business
    • Startups
    • Mergers & Aquisitions
    • Partnerships
    • Appointments
    • Budgets
    • Research
      • Whitepapers
      • Sponsored Content
      • Market Reports
    • Interviews
      • Podcast
  • Events
    • Conference
    • Webinar
    • Endorsed Events
  • Advisory Board

© 2026 The Cyber Express - Cybersecurity News and Magazine.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
-
00:00
00:00

Queue

Update Required Flash plugin
-
00:00
00:00
Do This on Telegram, Your Bank Account Will Become Zero If You Install the iOS 18 Beta, Your iPhone Could Be Hacked Cricket World Cup Ticketing Systems Under Cybersecurity Cyber Threats and Online Ticket Scams During the NBA Finals Biometric Data Security: Protecting Sensitive Information