The crisis began in the form of a vulnerability notification.
On February 2, 2023, CHSPSC, the US-based management company that provides services to many subsidiary hospital operator companies and other affiliates of American healthcare major Community Health Systems, received an alert from IT vendor, Fortra.
On January 28, something unexpected happened at Fortra — a cyber incident that led to the leak of personal information without authorization. People were confused and concerned about what happened, and no one knew how it happened or who was responsible.
However, on January 30, 2023, Fortra found out that the cause of the incident was a vulnerability in its popular data transfer software GoAnywhere, which organizations worldwide use.
CHSPSC was one of the earliest among Fortra clients, followed by thousands across the globe, to receive a vulnerability alert.
“According to Fortra, the unauthorized party used a previously unknown vulnerability to gain access to Fortra’s systems, specifically Fortra’s GoAnywhere file transfer service platform, compromising sets of files throughout Fortra’s platform,” said a disclosure filed by CHSPSC at the Maine Attorney General’s Office, USA, on March 8.
Coincidentally, Security reporter Brian Krebs too reported the details of the GoAnywhere vulnerability on February 2.
Fortra eventually released patches for the GoAnywhere vulnerability on February 7, but the five-day gap was enough for hackers to go on a rampage.
The group that caused the biggest damage was a ransomware gang named Clop, which stylizes its name as “Cl0p”.
GoAnywhere and the popularity bane
Managed File Transfer (MFT) software GoAnywhere enables businesses to securely and compliantly manage and exchange files.
The software is designed for large organizations with over 10,000 employees and at least $1 billion in revenue, serving more than 3,000 such organizations, according to its website.
“Some of these organizations are part of vital infrastructures, such as local governments, financial companies, healthcare organizations, energy firms; and technology manufacturers. A breach resulting from a GoAnywhere exploitation would lead to a serious supply chain attack,” warned MalwarebytesLabs threat assessment report on February 8.
“GoAnywhere has a diverse install base ranging from small companies to Fortune 500 companies, as well as non-profit organizations and government entities,” read the statement on the website of its parent company Fortra.
The popularity quickly became a bane for the company.
Along with alerting the customers and assuring that their data was safe, Fortra collaborated with the Cybersecurity and Infrastructure Security Agency, USA, to assess the GoAnywhere vulnerability. CISA added the bug to its list of “must-patch” vulnerabilities on February 6.
“Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2,” said the CISA alert.
The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS),” said the GoAnywhere advisory issued to Fortra customers.
However, a search conducted on Shodan, an engine that scans for internet-connected devices, found approximately 1000 exposed GoAnywhere admin panels. The majority of these panels were discovered in Europe and the US.
It’s a known fact that threat actors keep a tab on vulnerability disclosures and are quick to weaponize them. The early bird that caught the proverbial worm was Cl0p. Only this time, it wasn’t a mere catch but a trawl across the world.
GoAnywhere: Cl0p just did that!
According to Clop, they stole data from over 130 organizations over the course of ten days, from compromised GoAnywhere MFT servers.
Then the gang began naming victims, and disclosures followed.
Cybersecurity company Rubrik conceded on 14 March that its data was stolen using the GoAnywhere bug. The disclosure came hot on the heels of a post on the Cl0p ransomware leak site, naming the company as a victim.
Hitachi Energy, one of the high-profile victims, was among the earlier victims to name the ransomware actor in its disclosure.
“We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorized access to employee data in some countries,” read the company’s statement on March 17.
That too came after the Japanese multinational conglomerate was named and shamed on the Cl0p leak site.
One of the latest victims to disclose the ransomware attack, and probably the biggest in the list, was global consumer goods giant P&G.
About two dozen of P&G’s brands are billion-dollar sellers, including Always, Braun, Crest, Fusion, Gillette, Head & Shoulders, Mach3, Olay, Oral-B, and Pantene.
In response to a query by The Cyber Express, P&G confirmed that it was one of the many companies affected by Fortra’s GoAnywhere incident. However, at this time, there is no indication that customer data was affected by the issue.
“As part of this incident, an unauthorized third party obtained some information about P&G employees. The data that was obtained by the unauthorized party did not include information such as Social Security numbers or national identification numbers, credit card details, or bank account information,” a company spokesperson said.
“When we learned of this incident in early February, we promptly investigated the nature and scope of the issue, disabled use of the vendor’s services, and notified employees. Our business operations are continuing as normal,” the spokesperson added.
The disclosure, of course, came after being listed on the leak site.
GoAnywhere and Cl0p: Connection established
Huntress Threat Intelligence Manager Joe Slowik linked the GoAnywhere MFT attacks to the threat group TA505, known for deploying Clop ransomware.
He investigated an attack where the TrueBot malware downloader was deployed and concluded that there was a moderate likelihood that the activity was intended to deploy ransomware, with opportunistic exploitation of GoAnywhere MFT for the same purpose.
“While Huntress was able to identify and contain this infection event before further adversary actions could take place, enough bits of information are available to arrive at some plausible theories on responsibility,” Slowik wrote in a threat assessment blog published on February 8.
“As previously mentioned, Truebot is linked to a group referred to as Silence. As reported by the French CERT, Silence has been active in some form since 2016, with Truebot serving as an initial access, post-compromise tool for the entity’s operations.”
According to Slowik, while the links are not authoritative, the analysis of Truebot activity and deployment mechanisms suggests that there are connections to a group referred to as TA505.
Distributors of a ransomware family known as Clop have reported that Silence/Truebot activity links to TA505 operations, he added.
Based on previous reporting and observed actions, he concluded that Huntress’s observations indicate that the activity was likely intended to deploy ransomware, with the potential for additional opportunistic exploitation of GoAnywhere MFT for the same purpose.
In all, the ransomware gang claims that it has hit more than 130 victims by exploiting the zero-day vulnerability.
The victim list is still burgeoning. Going by the indications, the crisis is highly likely to spill over to the second quarter of the year.