Clop GoAnywhere Attacks Have Now Hit 130 OrganizationsGang Claims Responsibility for 50+ Hacks; Breach Fallout Hits Many Top Brands
So far, the Clop ransomware group campaign using a zero-day vulnerability in Fortra's widely used managed file transfer software, GoAnywhere MFT, has compromised networks used by 130 different organizations. The gang has taken responsibility for over 50 hacks.
Cybersecurity analyst and security researcher Dominic Alvieri on Friday claimed that about 56 victims have been breached by the Clop ransomware group in the past 24 hours.
Joining the list is British multinational conglomerate Virgin's rewards club, Virgin Red; the city of Toronto; Rio Tinto; Rubrik; Axis Bank; Hitachi Energy; Saks Fifth Avenue; Procter & Gamble; the U.K.'s Pension Protection Fund; Pluralsight; Munich RE and others.
The more recent victims are French digital transformation and hybrid cloud company Atos and the government of Goa, India.
Atos says that no IT environment has been compromised and the presumed leak is limited to a specific Nimbix file transfer application hosted on GoAnywhere MFT.
"On March 24, the hacker group Clop announced on the darknet that sensitive Atos data has been compromised. We want to reassure our clients, suppliers and employees that this is not the case. No ransomware has affected any Atos IT system," the company said in a statement.
According to its investigation, the company found that it was only processing standard data from Nimbix, a U.S. company acquired by Atos in 2021. The investigators found a backup folder from 2016 that was presumably exposed due to a zero-day vulnerability known to be exploited by Clop.
"We are in contact with the clients concerned. We are continuing to actively monitor the situation and will provide further updates if there is any change to the information above," the statement said.
A Virgin Red spokesperson told Information Security Media Group that the company was contacted by Clop ransomware group, which illegally obtained some Virgin Red files via a cyberattack on its supplier, GoAnywhere.
"The files in question pose no risk to customers or employees as they contain no personal data," the company said.
The city of Toronto also confirmed to ISMG that an unauthorized party had gained access to its data through a third-party vendor. The city said the actor on Thursday accessed files that were unable to be processed through the third-party secure file transfer system.
"The city is actively investigating the details of the identified files. The city of Toronto is committed to protecting the privacy and security of Torontonians whose information is in its care and control and successfully wards off cyberattacks on a daily basis," the spokesperson said.
Educational company Pluralsight told ISMG that its products and infrastructure were not affected by this incident.
"Pluralsight did use Fortra's Managed File Transfer product, GoAnywhere, to transfer platform usage data to our professional services customers. When Fortra informed us of this incident, we immediately discontinued [the] use of the product and notified all of our affected customers and explained the potential risks to their data," the spokesperson said.
The U.K.'s Pension Protection Fund also released a statement saying that a few of its current and former employees have been affected by the potential breach.
"We immediately stopped using GoAnywhere and began an investigation, working closely with Fortra and our security partners. Understanding what data may have been compromised and contacting anyone potentially affected has been our top priority," the company said.
Louise Ferrett, threat intelligence analyst at Searchlight Cyber, says that this is not the first time Clop has mass-hacked a number of organizations by exploiting vulnerabilities in third-party software. In late 2020 and early 2021, it used a similar tactic to attack more than 100 organizations with Accellion's legacy File Transfer Appliance, using a combination of zero-day vulnerabilities and a new web shell.
"This time the operation has used CVE-2023-0669 in Fortra's GoAnywhere MFT secure file transfer tool. This approach of targeting multiple organizations and then announcing them in quick succession distinguishes Clop from other ransomware operations," Ferrett says.
The campaign first came to light when cybersecurity software giant Rubrik announced that it had fallen victim to attackers exploiting a flaw in the GoAnywhere file transfer software. The vulnerability exploited by attackers is designated as CVE-2023-0669, and it exists in Windows and Linux versions of the managed file transfer software prior to 7.1.2.
The vulnerability in GoAnywhere MFT is a pre-authentication remote code execution flaw in which attackers can exploit the flaw and remotely execute code of their choosing without having to first authenticate in the GoAnywhere MFT administrative console.
For the attack to succeed, the administrative console must be internet-exposed. The first known attacks to exploit the flaw began Jan. 25. On Feb. 1, Fortra issued a security alert and mitigation instructions. On Feb. 7, it released version 7.1.2 of GoAnywhere MFT, which patches the flaw.
The U.S. Cybersecurity and Infrastructure Security Agency and other federal agencies have urged all GoAnywhere MFT users to immediately upgrade their software or use workarounds to mitigate the vulnerability (see: Authorities Warn Healthcare Sector of Ongoing Clop Threats).
"Clop is a ransomware-as-a-service operation, which means that a number of affiliates use its ransomware in their attacks. It is noteworthy for having links to larger cybercriminal gangs such as FIN11 and TA505, for often targeting high-profile organizations and for its longevity, having emerged in February 2019 as a variant of the CryptoMix ransomware strain," Ferrett said.