Yet another organization has been compromised following Forta’s GoAnywhere hack. After Community Health Systems, Hatch Bank, Canada’s asset managing firm Onex, has confirmed being impacted by the GoAnywhere security incident.
Onex, which has assets worth over $51 billion, stated that though the company’s systems were not directly assessed or breached, due to GoAnywhere MFT incident, its security and data were indirectly impacted.
The Clop ransomware group listed and delisted Onex multiple times before finally adding it to its target list on the leak site.
Onex data exposed
According to an IT World Canada report, an unspecified amount of company information was accessed after Onex’s data was exposed.
A spokesperson from Onex, on the condition of anonymity, told the news organization that the data was assessed through GoAnywhere.
“It was a third-party provider that was impacted that we have some data [with] that has been affected. We are dealing with our clients appropriately,” they said. However, no details regarding the size of the impacted data or any ransom demands were shared.
How the GoAnywhere ransomware attack began
Zero-day vulnerability in Fortra GoAnywhere MFT
Clop ransomware group exploited a zero-day vulnerability CVE-2023-0669 in the Fortra GoAnywhere MFT secure file-sharing solution.
Developers of the GoAnywhere MFT began alerting its customers about exploitations of a zero-day remote code execution vulnerability on exposed administrator consoles.
To exploit this vulnerability, access to a private company network through VPN or by allow-listed IP addresses was needed. Hence, the administrative console must be exposed online.
Cybersecurity researcher Kevin Beaumont conducted a Shodan scan to find how many exposed GoAnywhere instances are on the internet.
He found that there were 1,008 servers, mostly in the United States of America, and most of the admin consoles used ports 8ooo and 8oo1. Of those ports, over 100 exposed admin consoles were detected.
There was no patch for this vulnerability available at that time when it was first reported early on February 2. An emergency patch (7.1.2) was released for the GoAnywhere MFT zero-day vulnerability by Fortra on February 7.
Exploitation leading to Onex’s data being exposed
Clop exploited the flaw for over ten days and stole data from 130 companies, the ransomware group told a news organization. In March, reports of extortion by Clop surfaced due to the exploitation of the GoAnywhere vulnerability.
Clients of GoAnywhere
GoAnywhere is a file transfer solution that is used by companies to exchange their encrypted files safely. It is used by organizations related to energy, finance, entertainment, healthcare, etc.
Clop is known to target networks that cater to several agencies. In 2021, the ransomware group targeted Accellion FTA which was also a file transfer service.
Clop ransomware began demanding a ransom from the companies whose data the group managed to steal.
Companies victimized by Clop ransomware group
Community Health Systems (CHS) and Hatch Bank, were among those companies that came forward with the news of their data being stolen in the Clop ransomware attack on GoAnywhere.
The Silicon Valley security firm, Rubrik also confirmed that it experienced unauthorized access which is likely rooted in the GoAnywhere zero-day flaw exploitation.
Clop, on the other hand, added the names of 7 companies on its leak site including Hatch Bank and more recently Onex.