Healthcare giant CHS reports first data breach in GoAnywhere hacks

Community Health Systems (CHS) says it was impacted by a recent wave of attacks targeting a zero-day vulnerability in Fortra’s GoAnywhere MFT secure file transfer platform.

The healthcare provider giant said on Monday that Fortra issued an alert saying that it had “experienced a security incident” leading to some CHS data being compromised.

A subsequent investigation revealed that the resulting data breach affected the personal and health information of up to 1 million patients.

“While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care,” CHS said first spotted by .

“With regard to the PHI and PI compromised by the Fortra breach, the Company currently estimates that approximately one million individuals may have been affected by this attack.”

It also added that it would offer identity theft protection services and notify all affected individuals whose information was exposed in the breach.

CHS is a leading healthcare provider that operates 79 affiliated acute-care hospitals and over 1,000 other sites of care across the United States.

​Clop gang claims it breached 130 Fortra clients

The Clop ransomware gang and told BleepingComputer that they’ve breached and stolen data from over 130 organizations.

Clop also said they had allegedly stolen the data over ten days after breaching GoAnywhere MFT servers vulnerable to exploits targeting the CVE-2023-0669 RCE bug.

The gang didn’t provide proof or additional details regarding their claims when BleepingComputer asked when the attacks began, if they had already started extorting victims, and what ransoms they were asking for.

BleepingComputer could not independently confirm any of Clop’s claims, and Fortra is yet to reply to several emails asking for more info regarding CVE-2023-0669 exploitation and the ransomware group’s allegations.

However, Huntress Threat Intelligence Manager also found links between , a threat group known for deploying Clop ransomware in the past.

Clop is known for using a similar tactic in December 2020, when they discovered and in Accellion’s legacy File Transfer Appliance (FTA) to steal large amounts of data from roughly 100 companies worldwide.

At the time, the victims received emails demanding $10 million in ransoms to avoid having their data published on the cybercrime group’s data leak site.

Organizations that had their Accellion servers hacked include, among others, , , , and multiple universities worldwide such as , , University of Miami, University of California, and the University of Maryland Baltimore (UMB).

If Clop follows a similar extortion strategy, we will likely see a rapid release of data for non-paying victims on the threat actor’s data leak site in the near future.

Federal agencies order to patch until March 3rd

GoAnywhere MFT’s developer Fortra (formerly known as HelpSystems) to its customers last week that a new vulnerability (CVE-2023-0669) was being exploited as a zero-day in the wild.

The company issued after a proof-of-concept exploit , allowing unauthenticated attackers to gain remote code execution on vulnerable servers.

Even though Shodan currently shows that are exposed to attacks, are on ports 8000 and 8001 (the ones used by the vulnerable admin console).

Fortra also revealed, after releasing patches, that some of its MFTaaS hosted instances were also breached in the attacks.

CISA  the GoAnywhere MFT flaw to its on Friday, ordering U.S. federal agencies to secure their systems within the next three weeks, until March 3rd.