Ransomware gang uses new zero-day to steal data on 1 million patients

A prolific ransomware operation is back with old tricks — and new victims.

Community Health Systems (CHS), one of the largest healthcare providers in the United States with close to 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to 1 million patients.

The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stems from its use of a popular file-transfer software called GoAnywhere MFT, developed by Fortra (previously known as HelpSystems), which is deployed by large businesses to share and send large sets of data securely. Community Health Systems said that Fortra recently notified it of a security incident that resulted in the unauthorized disclosure of patient data.

"As a result of the security breach experienced by Fortra, protected health information and personal information of certain patients of the company's affiliates were exposed by Fortra's attacker," according to the filing by Community Health Systems, which was first spotted by DataBreaches.net. The healthcare giant added that it would offer identity theft protection services and notify all affected individuals whose information was exposed, but said there had been no material interruption to its delivery of patient care.

CHS hasn’t said what types of data were exposed and a spokesperson has not yet responded to TechCrunch’s questions. This is CHS' second-known breach of patient data in recent years.

The Russia-linked ransomware gang Clop has reportedly taken responsibility for exploiting the new zero-day in a new hacking campaign and claims to have already breached over a hundred organizations that use Fortra's file-transfer technology — including CHS.

While CHS has been quick to come forward as a victim, Clop's claim suggests there could be dozens more affected organizations out there -- and if you're one of the thousands of GoAnywhere users, your company could be among them. Thankfully, security experts have shared a bunch of information about the zero-day and what you can do to protect against it.

What is the GoAnywhere vulnerability?

Details of the zero-day vulnerability in Fortra's GoAnywhere software — tracked as CVE-2023-0669 — were first flagged by security journalist Brian Krebs on February 2. In a post on Mastodon, Krebs shared the full text of Fortra's security advisory, issued a day earlier, which is not accessible from its public website. Rather, users had to create a Fortra account in order to access the vulnerability report, a move that has been roundly criticized by cybersecurity experts.

“A zero-day remote code injection exploit was identified in GoAnywhere MFT,” Fortra said in its hidden advisory. “The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”

In a technical analysis of the flaw published on February 7, cybersecurity company Rapid7 described the exploitability of the bug — and the value to the attacker — as “very high,” given the sensitivity of the data that companies send through GoAnywhere.

Security researchers were quick to liken the vulnerability to an earlier zero-day flaw affecting Accellion’s now-defunct legacy file transfer appliance (FTA), which, like GoAnywhere, allowed organizations to securely share sensitive datasets. The Clop ransomware gang was found abusing the Accellion flaw back in 2020 to breach a number of organizations, including Qualys, Shell, the University of Colorado, Kroger and Morgan Stanley.

Now the Clop ransomware gang — which recently made headlines with its new Linux variant — told Bleeping Computer that it has already exploited the GoAnywhere vulnerability to steal data from more than 130 organizations. Clop did not provide evidence for its claim, and at the time of writing, Clop’s dark web leak site makes no mention of either Fortra or GoAnywhere.

Fortra did not respond to TechCrunch's questions.

Should I be concerned?

Concerns about the exploitability of the GoAnywhere vulnerability have not been overstated.

Cybersecurity firm Huntress reported last week that it investigated an intrusion into a customer's network involving the exploitation of the GoAnywhere zero-day. Huntress linked the intrusion to a Russian-speaking threat actor that it calls "Silence," which has links to another group referred to as TA505, a criminal hacking crew that has been active since at least 2016 and is known for targeted campaigns involving the deployment of Clop ransomware.

"Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose," said Joe Slowik, threat intelligence manager at Huntress.

Huntress said that given in part to the simplicity of the vulnerability, it anticipates seeing "wider activity" now that the exploit for the GoAnywhere zero-day is being actively exploited.

Security patches available

Fortra released an emergency patch — version 7.1.2 — on February 7 and urged all GoAnywhere customers to apply the fix as soon as possible. "Particularly for customers running an admin portal exposed to the internet, we consider this an urgent matter," the company said.

U.S. cybersecurity agency CISA, meanwhile, has added the GoAnywhere flaw to its public catalog of known exploited vulnerabilities and has ordered all federal civilian executive branch agencies to patch their systems before March 3.