Pierluigi Paganini
March 24, 2023
Clop ransomware gang added the City of Toronto to the list of victims published on its Tor leak site. The City was targeted as part of a campaign exploiting the recently disclosed zero-day vulnerability in the Fortra’s GoAnywhere secure file transfer tool.
The gang is very active and recently it claimed to have breached tens of large organizations, including Rubrik, Onex, Axis, Bank, Rio Tinto, Hitachi Energy, and Virgin Group, as reported by the security expert Dominic Alvieri.
One of the top cybersecurity stories of the year is unfolded with CL0P^_- going everywhere.
— Dominic Alvieri (@AlvieriD) March 23, 2023
39 posts today, 72 for the week to date, 58 left roughly.
Rubrik
Onex
Axis Bank
Rio Tinto
Investissement Québec
Hitachi Energy
Sans Fifth Avenue
Procter and Gamble
Pension Protection… pic.twitter.com/XeXFnQRRbc
The news of the hack was also confirmed by BleepingComputer which reached a spokesperson for the City of Toronto. The City government launched an investigation into the incident to determine the extent of the security breach.
“Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third party vendor. The access is limited to files that were unable to be processed through the third party secure file transfer system.” a City spokesperson told BleepingComputer.
In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.
According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.
Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.
Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by “system.”
In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, City of Toronto)
