Community Health Systems based in Franklin, TN recently reported being affected by a security incident that happened at cybersecurity firm, Fortra. Unauthorized people acquired access to the protected health information (PHI) of around 1 million of its patients. Community Health Systems is one of the United States’ biggest health systems. It manages 79 hospitals and over 1,000 healthcare websites in 16 states. Last February 13, 2023, Community Health Systems confirmed with a Securities and Exchange Commission 8-k filing that it was just informed by Fortra that a security incident affected a portion of its PHI.
Community Health Systems stated the breach seems to have affected Fortra’s GoAnywhere MFT platform only. Its own systems were not compromised, and patient care was likewise not affected. It is too soon to say specifically what data was exposed, the degree of data theft if any, and how many persons were impacted, however, Community Health Systems is convinced around 1 million persons were most probably impacted.
Community Health Systems stated that it has a cyber insurance plan that gave some degree of security against losses caused by cyberattacks and it is going to provide identity theft protection services to impacted persons. More information will be published while the investigation unfolds.
Zero-Day Vulnerability Exploited in Over 130 Cyber Attacks
Fortra is a cybersecurity firm that offers a safe file transfer platform known as GoAnywhere MFT. Fortra lately stated that it found a zero-day vulnerability being exploited in the wild. When the security notification was issued, there was still no patch available to resolve the vulnerability. Fortra informed all clients and suggested mitigations to avoid exploitation of the vulnerability, then launched an emergency patch the next day.
An attacker can exploit vulnerability CVE-2023-0669 remotely on GoAnywhere MFT instances if their admin consoles are open online. A malicious actor can successfully exploit the vulnerability and remotely implement code. This week, a proof-of-concept (PoC) exploit specifically for the vulnerability was made available to the public. It’s not possible to exploit the vulnerability when the admin console is just accessible with a private network or by means of a VPN, nor when allow-lists were set up to limit access to trusted IP addresses.
Bleeping Computer made a report about a hacker, claiming to be a Clop ransomware gang member, who claimed its group has exploited the vulnerability in over 130 companies. The exploit enabled them to obtain access to systems and move laterally. Although ransomware could have been deployed, the decision was just to extract information in an extortion-only attack.
The same strategies were employed in December 2020 with a number of attacks that took advantage of a zero-day vulnerability in the Accellion File Transfer Appliance (FTA). Roughly 100 organizations were impacted, had records stolen, and were susceptible to extortion attempts. Information was eventually exposed on the Clop data leak website when there was no ransom payment given. An F1N11 group that has ties with the Clop ransomware group was accountable for the attacks.
Although the Clop ransomware member claims are not verified, Threat Intelligence Manager Joe Slowik of Huntress cybersecurity company has connected the attacks to the threat actor monitored as TA505, which has earlier executed ransomware attacks using Locky, Globelmposter, Philadelphia, and Clop ransomware variants. Bleeping Computer states that Shodan scans indicate there were over 1,000 GoAnywhere MFT instances exposed online, nevertheless merely 136 are vulnerable to the flaws, because they may be accessed through ports 8000 and 8001, which are employed by the insecure admin console.
Healthcare Sector Cautioned About Growing GootLoader Malware Attacks
Security researchers have given alerts after an upsurge in cyberattacks spreading a malware variant known as GootLoader. The GootLoader malware loader was initially discovered in 2014. It is currently a major malware threat. The threat group responsible for the campaign is very competent. It is changing its strategies and actively creating the malware to better elude safety defenses.
The distribution of GootLoader is the initial phase of an attack chain that leads to the delivery of multiple malicious payloads like Cobalt Strike Beacon, SnowCone, and FoneLaunch. As a .NET loader, FoneLaunch loads encoded payloads to the memory while the downloader SnowCone retrieves and executes payloads for use in the following phase of the attack, which include the IcedID banking Trojan and malware dropper.
Researchers at the two firms state that UNC2565 is actively creating its TTPs and growing its functionality, and companies in the healthcare industry ought to be on increased alert. Network defenders could obtain more information on the TTPs, Indicators of Compromise (IoCs), and suggested mitigations from Mandiant’s GootLoader reports.