Data Breach

Community Health Systems data breach caused by GoAnywhere MFT hack

Community Health Systems (CHS) disclosed a data breach, attackers exploited the zero-day vulnerability in Fortra’s GoAnywhere MFT platform.

Community Health Systems (CHS) is one of the nation’s leading healthcare providers. CHS operates 79 acute-care hospitals and more than 1,000 other sites of care, including physician practices, urgent care centers, freestanding emergency departments, occupational medicine clinics, imaging centers, cancer centers and ambulatory surgery centers.

Community Health Systems (CHS) was the victim of a cyber attack, threat actors exploited the recently disclosed zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer platform.

Community Health Systems was recently notified by its third-party provider Fortra, that Fortra had experienced a security incident that exposed Company data. CHS launched an investigation to determine whether any its systems were affected and discovered that up to 1 million patients were impacted.

Community Health Systems chsCommunity Health Systems chs

“Upon receiving notification of the security breach, the Company promptly launched an investigation, including to determine whether any Company information systems were affected, whether there was any impact to ongoing operations, and whether and to what extent PHI or PI had been unlawfully accessed by the attacker.” reads a 8-K form filed with the SEC. “While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care. With regard to the PHI and PI compromised by the Fortra breach, the Company currently estimates that approximately one million individuals may have been affected by this attack.

The company will offer protection services and notify all impacted individuals whose information was exposed in the data breach.

Last week, the Clop ransomware gang told BleepingComputer that they were able to compromise over 130 organizations in just ten days by exploiting the GoAnywhere MFT, but did not share details regarding their claims.

The crooks also claims to have fully compromised the network organizations, but did not deploy any ransomware.

Multiple experts already released exploits for the CVE-2023-0669 vulnerability, on February 6, 2023, the researcher Florian Hauser of IT security consulting firm Code White released a proof-of-concept (PoC) exploit code.

Researchers at threat intelligence firm Huntress shared findings of their investigation into GoAnywhere MFT exploitation and linked the attacks to the TA505 threat actors.

Last week CISA also added the GoAnywhere MFT flaw to its  Known Exploited Vulnerabilities Catalog, ordering federal agencies to address it by March 3, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Community Health Systems)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack

A new Russia-linked APT group, tracked as Laundry Bear, has been linked to a Dutch…

4 hours ago

Nova Scotia Power confirms it was hit by ransomware attack but hasn’t paid the ransom

Nova Scotia Power confirms it was hit by a ransomware attack but hasn't paid the…

12 hours ago

Crooks stole over $200 million from crypto exchange Cetus Protocol

Cetus Protocol reported a $223 million crypto theft and is offering to drop legal action…

12 hours ago

Marlboro-Chesterfield Pathology data breach impacted 235,911 individuals

SafePay ransomware hit Marlboro-Chesterfield Pathology, stealing personal data of 235,000 people in a major breach.…

24 hours ago

China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure

China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and…

1 day ago

Fake software activation videos on TikTok spread Vidar, StealC

Crooks use TikTok videos with fake tips to trick users into running commands that install…

1 day ago