Pierluigi Paganini February 15, 2023

Community Health Systems (CHS) disclosed a data breach, attackers exploited the zero-day vulnerability in Fortra’s GoAnywhere MFT platform.

Community Health Systems (CHS) is one of the nation’s leading healthcare providers. CHS operates 79 acute-care hospitals and more than 1,000 other sites of care, including physician practices, urgent care centers, freestanding emergency departments, occupational medicine clinics, imaging centers, cancer centers and ambulatory surgery centers.

Community Health Systems (CHS) was the victim of a cyber attack, threat actors exploited the recently disclosed zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer platform.

Community Health Systems was recently notified by its third-party provider Fortra, that Fortra had experienced a security incident that exposed Company data. CHS launched an investigation to determine whether any its systems were affected and discovered that up to 1 million patients were impacted.

“Upon receiving notification of the security breach, the Company promptly launched an investigation, including to determine whether any Company information systems were affected, whether there was any impact to ongoing operations, and whether and to what extent PHI or PI had been unlawfully accessed by the attacker.” reads a 8-K form filed with the SEC. “While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care. With regard to the PHI and PI compromised by the Fortra breach, the Company currently estimates that approximately one million individuals may have been affected by this attack.“

The company will offer protection services and notify all impacted individuals whose information was exposed in the data breach.

Last week, the Clop ransomware gang told BleepingComputer that they were able to compromise over 130 organizations in just ten days by exploiting the GoAnywhere MFT, but did not share details regarding their claims.

The crooks also claims to have fully compromised the network organizations, but did not deploy any ransomware.

Multiple experts already released exploits for the CVE-2023-0669 vulnerability, on February 6, 2023, the researcher Florian Hauser of IT security consulting firm Code White released a proof-of-concept (PoC) exploit code.

Researchers at threat intelligence firm Huntress shared findings of their investigation into GoAnywhere MFT exploitation and linked the attacks to the TA505 threat actors.

Last week CISA also added the GoAnywhere MFT flaw to its  Known Exploited Vulnerabilities Catalog, ordering federal agencies to address it by March 3, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Community Health Systems)