After Hitachi Energy, Onex, Saks Fifth Avenue, Rubrik, the City of Toronto has become the latest victim of those impacted by the GoAnywhere MFT data breach. The City of Toronto cyberattack was a result of the exploitation of zero-day exploitation of CVE-2023-0669 — Fortra GoAnywhere MFT RCE Vulnerability.
On March 20, The City of Toronto became aware of an unauthorized access to its systems through a third-party vendor. A City of Toronto spokesperson confirmed that unauthorized access was found to files that were unable to be processed through the vendor’s file transfer system.
City of Toronto cyberattack exploiting GoAnywhere vulnerability
The city government is investigating the details of the City of Toronto cyberattack. The security incident is linked to the Fortra GoAnywhere MFT vulnerability where the exploitation allowed remote code execution. The vulnerability was given a score of 7.2 which makes it a high-severity bug. However, it was patched in version 7.1.2.
Clop ransomware group claimed that they accessed the systems of over 130 organizations after gaining access to GoAnywhere, which provides safe file transfer services to organizations.
The group was able to access system data for nearly 10 days. The vulnerability allowed moving laterally through the network which the group misused to launch ransomware payloads and encrypt data.
The ransomware was allegedly used to steal data from GoAnywhere MFT servers.
In a tweet, cybersecurity researcher Brett Callow called the City of Toronto unlucky. “The City of Toronto has been unlucky when it comes to file transfer. First, it was breached via its Accellion FTA, and now it’s been breached via its Forta GoAnywhere.”
A Virgin spokesperson also confirmed that the U.K.’s Virgin Red has been victimized by the GoAnywhere exploitation.
Accellion FTA exploitation
Callow noted that in both security breaches, the culprit was the Clop ransomware group.
Accellion, In., which is now known as Kiteworks suffered a security breach at the hands of Clop. It offers services to its clients such as file transferring, securing sensitive files, application programming interface, etc.
Clop exploited a zero-day vulnerability in Accellion FTA in 2020 to steal data from over 100 companies, which throws light on the importance of companies offering file transfer services to clients globally.
A ransom of $10 million was demanded from impacted companies with a threat to leak sensitive data.
Some of the victims were Kroger, Qualys, the University of Colorado, the University of Miami, etc.
In an international law enforcement operation called Operation Cyclone, six members of Clop were arrested in Ukraine, in June 2021.