GoAnywhere MFT Hack Impacts Up to 1 Million Community Health Systems Patients and Growing Gootloader Attacks

Community Health Systems based in Franklin, TN recently reported being affected by a security incident that happened at cybersecurity firm, Fortra. Unauthorized people acquired access to the protected health information (PHI) of around 1 million of its patients. Community Health Systems is one of the United States’ biggest health systems. It manages 79 hospitals and over 1,000 healthcare websites in 16 states. Last February 13, 2023, Community Health Systems confirmed with a Securities and Exchange Commission 8-k filing that it was just informed by Fortra that a security incident affected a portion of its PHI.

Community Health Systems stated the breach seems to have affected Fortra’s GoAnywhere MFT platform only. Its own systems were not compromised, and patient care was likewise not affected. It is too soon to say specifically what data was exposed, the degree of data theft if any, and how many persons were impacted, however, Community Health Systems is convinced around 1 million persons were most probably impacted.

Community Health Systems stated that it has a cyber insurance plan that gave some degree of security against losses caused by cyberattacks and it is going to provide identity theft protection services to impacted persons. More information will be published while the investigation unfolds.

Zero-Day Vulnerability Exploited in Over 130 Cyber Attacks

Fortra is a cybersecurity firm that offers a safe file transfer platform known as GoAnywhere MFT. Fortra lately stated that it found a zero-day vulnerability being exploited in the wild. When the security notification was issued, there was still no patch available to resolve the vulnerability. Fortra informed all clients and suggested mitigations to avoid exploitation of the vulnerability, then launched an emergency patch the next day.

An attacker can exploit vulnerability CVE-2023-0669 remotely on GoAnywhere MFT instances if their admin consoles are open online. A malicious actor can successfully exploit the vulnerability and remotely implement code. This week, a proof-of-concept (PoC) exploit specifically for the vulnerability was made available to the public. It’s not possible to exploit the vulnerability when the admin console is just accessible with a private network or by means of a VPN, nor when allow-lists were set up to limit access to trusted IP addresses.

Bleeping Computer made a report about a hacker, claiming to be a Clop ransomware gang member, who claimed its group has exploited the vulnerability in over 130 companies. The exploit enabled them to obtain access to systems and move laterally. Although ransomware could have been deployed, the decision was just to extract information in an extortion-only attack.

The same strategies were employed in December 2020 with a number of attacks that took advantage of a zero-day vulnerability in the Accellion File Transfer Appliance (FTA). Roughly 100 organizations were impacted, had records stolen, and were susceptible to extortion attempts. Information was eventually exposed on the Clop data leak website when there was no ransom payment given. An F1N11 group that has ties with the Clop ransomware group was accountable for the attacks.

Although the Clop ransomware member claims are not verified, Threat Intelligence Manager Joe Slowik of Huntress cybersecurity company has connected the attacks to the threat actor monitored as TA505, which has earlier executed ransomware attacks using Locky, Globelmposter, Philadelphia, and Clop ransomware variants. Bleeping Computer states that Shodan scans indicate there were over 1,000 GoAnywhere MFT instances exposed online, nevertheless merely 136 are vulnerable to the flaws, because they may be accessed through ports 8000 and 8001, which are employed by the insecure admin console.

Healthcare Sector Cautioned About Growing GootLoader Malware Attacks

Security researchers have given alerts after an upsurge in cyberattacks spreading a malware variant known as GootLoader. The GootLoader malware loader was initially discovered in 2014. It is currently a major malware threat. The threat group responsible for the campaign is very competent. It is changing its strategies and actively creating the malware to better elude safety defenses.

The distribution of GootLoader is the initial phase of an attack chain that leads to the delivery of multiple malicious payloads like Cobalt Strike Beacon, SnowCone, and FoneLaunch. As a .NET loader, FoneLaunch loads encoded payloads to the memory while the downloader SnowCone retrieves and executes payloads for use in the following phase of the attack, which include the IcedID banking Trojan and malware dropper.

As per Mandiant security researchers, it seems that a threat actor called UNC2565 is exclusively using GootLoader. In 2022, UNC2565 implemented new tactics, techniques, and procedures (TTPs) and is actively changing its TTPs to enhance the efficiency of its campaigns, which include putting new parts and obfuscations to the infection sequence. GootLoader is mainly propagated by means of compromised sites. Sending traffic to those websites is by SEO poisoning, which entails making web content with search engine optimization techniques in mind to rank the sites high in the search engine results for particular business-associated keywords. These may include business-associated files like contract templates and service-level agreements. Whenever a user gets to the site they are misled into saving a malicious file, which is usually a ZIP archive plus an obfuscated JavaScript file that disguises as the file being explored. Upon execution of that file, the infection chain begins resulting in the installation of GootLoader and the delivery and execution of other malicious payloads.

Mandiant states UNC2565 altered the attack pattern in November 2022 and changed the .js file included in the ZIP file to have a new variant called GootLoader.PowerShell. This new variant creates a second JavaScript file in the system disk that goes to 10 hard-coded links and extracts system data. This was employed in a series of attacks on the healthcare sector in Australia at the end of 2022.

Cybereason Security researchers have likewise given an alert regarding UNC2565 after a surge in attacks in Australia, the United Kingdom, and the United States. Besides SEO poisoning, Cybereason researchers point out the group has begun driving traffic to their malicious sites using Google Ads and is currently using SystemBC and Cobalt Strike to extract data. New strategies identified consist of several JavaScript loops that delay process execution, which is thought to help avert sandbox mechanisms. They additionally mentioned that after executing GootLoader, the threat actors act immediately and manually deploy attack frameworks, lift privileges, and move laterally inside breached systems. That process usually takes under 4 hours. Whereas several sectors were targeted, attacks have mainly been centered on companies in the finance and medical industries. Researchers at Cybereason believe the level of threat is severe.

Researchers at the two firms state that UNC2565 is actively creating its TTPs and growing its functionality, and companies in the healthcare industry ought to be on increased alert. Network defenders could obtain more information on the TTPs, Indicators of Compromise (IoCs), and suggested mitigations from Mandiant’s GootLoader reports.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.