Alert essentials:
The Russia-linked ransomware group Clop has taken responsibility for mass attacks on more than 130 organizations in recent weeks, including a compromise of Community Health Systems (CHS) which involves unauthorized access to information of up to 1 million patients. Clop is exploiting a zero-day command injection exploit in Fortra’s GoAnywhere MFT solution to compromise organizations and inject ransomware.
Detailed threat description:
Initially disclosed on February 1st, Fortra’s GoAnywhere MFT solution is vulnerable to a pre-authentication command injection exploit which allows attackers with network-level access to the GoAnywhere MFT administration port (default 8000) to execute arbitrary code.
Fortra has released emergency patch 7.1.2 as of February 7th to address this vulnerability. Organizations using Fortra’s GoAnywhere MFT solution should immediately ensure that this patch is installed.
Affected products / versions
- Fortra GoAnywhere MFT versions 7.1.1 and prior
CVEs
- CVE-2023-0669
Impacts on healthcare organizations
This campaign spreads ransomware, and all business-critical systems could be impacted or rendered unavailable in the event of an attack and further proliferation within a victim’s network.
Ransomware such as those used by Clop poses the highest possible risk to healthcare organizations. Ransomware can take systems critical for patient care offline, rendering necessary information inaccessible to healthcare professionals while simultaneously leaking PHI to attackers. Ransomware can also encrypt data across organizations’ networks causing extended downtime and financial damage.
Data leaks caused by ransomware often require healthcare organizations to issue public statements on the nature of the breach, causing significant reputational harm as well.
Recommendations
Engineering recommendations:
- If your organization uses GoAnywhere MFT, immediately install patch 7.1.2
- Ensure proper deployment of endpoint detection and response tool sets where possible
Leadership / program recommendations:
- Consider advanced response mechanisms such as Endpoint Detection and Response technologies for a Defense-In-Depth approach to security
- Review IR Plans and dedicate a procedure and organization preparedness around a Ransomware threat
- Review and understand system recovery capabilities and limitations via Recovery Time and Recovery Point Objectives
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://www.hhs.gov/sites/default/files/clop-allegedly-targeting-healthcare-industry-sector-alert.pdf
- https://hstechdocs.helpsystems.com/releasenotes/Content/_ProductPages/GoAnywhere/GAMFT.htm
- https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis
- https://techcrunch.com/2023/02/15/clop-ransomware-community-health-systems/
