Ransomware Group Steals 1 Million Patient Records
Clop, a ransomware group with ties to Russia, has asserted it was behind recent attacks that exploited a zero-day flaw in the GoAnywhere MFT secure file transfer tool. One of the biggest victims was Community Health Systems (CHS), one of the largest healthcare providers in the US. They confirmed that criminal hackers stole the private medical records of approximately 1 million patients this week.
Clop told Bleeping Computers that they are responsible for exploiting the new zero-day vulnerability. They claim to have already stolen data from more than 130 organizations that use GoAnywhere. However, they failed to provide any evidence to support these claims.
CHS said that Fortra (the developers of the GoAnywhere software) recently informed them about a security incident that led to CHS patient data being disclosed without authorization. In its filing with government regulators, CHS confirmed that the data breach happened because it used the popular file-transfer software. The GoAnywhere software is used by many large businesses to share and send large sets of data securely.
Brian Krebs, a security journalist, was the first to report the zero-day flaw in Fortra's GoAnywhere software on February 2. The flaw is known as CVE-2023-0669. Krebs posted Fortra's full security advisory regarding the vulnerability on Mastodon.
The security firm Huntress also revealed last week that an exploit of the GoAnywhere vulnerability was the cause of a breach experienced by one of its clients. Huntress claimed the breach was caused by a Russian-speaking threat group called Silence. The group is connected to another group called "TA505", which is a criminal hacking group known for targeted campaigns using Clop ransomware.
Cybersecurity firm Rapid7 conducted an examination of the vulnerability. Their analysis described the bug's exploitability and value to the attacker as "very high" due to the sensitive data that businesses share through GoAnywhere.
CHS was the first to come forward as a victim, but if Clop’s claim is to be believed, there could be many more affected organizations out there. Fortra has released security patches and has urged all GoAnywhere users to update the software immediately to prevent further attacks.
This attack seems to be part of a rising trend of cybercriminal groups attacking American healthcare organizations. In December last year, the data of 3 million patients was stolen from California's Heritage Provider Network (HPN).