Dozens of organizations have been added to Clop ransomware’s victim list over the last couple of months, and this week was no exception.
Clop claims to have hacked into over 100 organizations through a zero-day vulnerability found in Fortra’s GoAnywhere file transfer product earlier this year. The flaw is being tracked as CVE-2023-0669.
Among the big names on the victim list are Japanese tech giant Hitachi as well as Community Health Systems, one of the largest healthcare providers in the US. Cloud data management giant Rubrik disclosed that they were a victim of the ransomware group exploiting the GoAnywhere bug.
This week brought some new listings. The Clop ransomware put luxury retailer Saks Fifth Avenue on the victim list on their dark web leak site. The department store claims, though, that the hackers only accessed bogus customer information and did not reach any sensitive corporate assets.
In another development, Rio Tinto, the world’s second-largest metals and mining corporation, which had previously declined to comment on being added to Clop’s list of victims, has warned its Australian workers today, March, 23, that some of their personal data could have been stolen during a cyberattack by a malicious group targeting a supplier to the mining giant.
Background to the GoAnywhere Zero-Day Vulnerability
On February 3, 2023, the developers of Fortra’s GoAnywhere MFT sent an advisory addressed to its customer portal. They warned users of a zero-day remote code execution vulnerability being actively exploited in the wild. Successful exploitation of this vulnerability, they explained, could allow sensitive data to be leaked.
The vulnerability specifically impacts administrator consoles in GoAnywhere MFT, and exploitation of this vulnerability is only possible with access to an administrator console with exposure to the internet.
Fortra urged customers to apply an emergency patch they released to protect themselves from attack.
If you are a user of GoAnywhere MFT, make sure you’re following these important guidelines.
- Patch your GoAnywhere MFT instances
- If, for some reason, this is not possible, apply the GoAnywhere workaround
- Under all circumstances, do not expose the administrator console to the internet