Healthcare giant CHS reports first data breach in GoAnywhere hacks

Community Health Systems (CHS) says it was impacted by a recent wave of attacks targeting a zero-day vulnerability in Fortra’s GoAnywhere MFT secure file transfer platform.

The healthcare provider giant said on Monday that Fortra issued an alert saying that it had "experienced a security incident" leading to some CHS data being compromised.

A subsequent investigation revealed that the resulting data breach affected the personal and health information of up to 1 million patients.

"While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company's information systems and that there has not been any material interruption of the Company's business operations, including the delivery of patient care," CHS said an 8-K filing with the SEC first spotted by DataBreaches.net.

"With regard to the PHI and PI compromised by the Fortra breach, the Company currently estimates that approximately one million individuals may have been affected by this attack."

It also added that it would offer identity theft protection services and notify all affected individuals whose information was exposed in the breach.

CHS is a leading healthcare provider that operates 79 affiliated acute-care hospitals and over 1,000 other sites of care across the United States.

​Clop gang claims it breached 130 Fortra clients

The Clop ransomware gang claims to be behind these attacks and told BleepingComputer that they've breached and stolen data from over 130 organizations.

Clop also said they had allegedly stolen the data over ten days after breaching GoAnywhere MFT servers vulnerable to exploits targeting the CVE-2023-0669 RCE bug.

The gang didn't provide proof or additional details regarding their claims when BleepingComputer asked when the attacks began, if they had already started extorting victims, and what ransoms they were asking for.

BleepingComputer could not independently confirm any of Clop's claims, and Fortra is yet to reply to several emails asking for more info regarding CVE-2023-0669 exploitation and the ransomware group's allegations.

However, Huntress Threat Intelligence Manager Joe Slowik also found links between the GoAnywhere MFT attacks and TA505, a threat group known for deploying Clop ransomware in the past.

Clop is known for using a similar tactic in December 2020, when they discovered and exploited a zero-day bug in Accellion's legacy File Transfer Appliance (FTA) to steal large amounts of data from roughly 100 companies worldwide.

At the time, the victims received emails demanding $10 million in ransoms to avoid having their data published on the cybercrime group's data leak site.

Organizations that had their Accellion servers hacked include, among others, energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and multiple universities worldwide such as Stanford Medicine, University of Colorado, University of Miami, University of California, and the University of Maryland Baltimore (UMB).

If Clop follows a similar extortion strategy, we will likely see a rapid release of data for non-paying victims on the threat actor's data leak site in the near future.

Federal agencies order to patch until March 3rd

GoAnywhere MFT's developer Fortra (formerly known as HelpSystems) disclosed to its customers last week that a new vulnerability (CVE-2023-0669) was being exploited as a zero-day in the wild.

The company issued emergency security updates after a proof-of-concept exploit was released online, allowing unauthenticated attackers to gain remote code execution on vulnerable servers.

Even though Shodan currently shows that over 1,000 GoAnywhere instances are exposed to attacks, only 136 are on ports 8000 and 8001 (the ones used by the vulnerable admin console).

Internet-exposed GoAnywhere MFT instances (Shodan)

Fortra also revealed, after releasing patches, that some of its MFTaaS hosted instances were also breached in the attacks.

CISA added the GoAnywhere MFT flaw to its Known Exploited Vulnerabilities Catalog on Friday, ordering U.S. federal agencies to secure their systems within the next three weeks, until March 3rd.