Health info for 1 million patients stolen using critical GoAnywhere vulnerability

The picture shows a security scanner extracting viruses from strings of binary code.words and hands

Getty Images

One of the largest US hospital chains said it obtained protected health information for 1 million patients after hackers exploited a vulnerability in an enterprise software product called GoAnywhere.

Community Health Systems of Franklin, Tennessee, said in filings with the Securities and Exchange Commission on Monday that the attack targeted GoAnywhere MFT, a Fortra-licensed managed file transfer product for large organizations. said. An ongoing investigation so far has revealed that the hack likely affected his million people, according to the filing. The compromised data included protected medical information as defined in the Health Insurance Portability and Accountability Act, as well as private patient information.

Two weeks ago, journalist Brian Krebs issued an undisclosed advisory to customers on Mastodon warning that cybersecurity firm Fortra recently learned of a “zero-day remote code injection exploit” targeting GoAnywhere. said. This vulnerability has since been assigned his CVE-2023-0669. Fortra he patched the vulnerability in his 7.1.2 release on February 7th.

“The attack vector for this exploit requires access to the application’s management console, which in most cases is only accessible from within a private corporate network, over a VPN, or by an allowlisted IP address. (Azure or AWS if running in a cloud environment),” says the recommendation cited by Krebs. It further states that hacking is possible “if the management interface is exposed or if appropriate access controls cannot be applied to this interface.”

Fortra states that attacks are mostly only possible on the customer’s private network, but Community Health Systems filings state that Fortra is an entity that has “experienced a security incident” and that the company has directly issued a “Fortra He said he knew of the infringement.

“As a result of the security breach Fortra has experienced, Protected Health Information (“PHI”) (as defined in the Health Insurance Portability and Accountability Act (“HIPAA”)) and certain patient “personal information” ( “PI”), one of our affiliates, was exposed by Fortra attackers,” the filing said.

In an email requesting an exact description of which company’s network was compromised, Fortra officials wrote: To address this, we have taken steps such as temporarily suspending this service to prevent further unauthorized activity, notifying all customers who may have been impacted, and sharing mitigation guidance. We immediately took several steps to do so. Recently developed patch. ” The statement did not elaborate.

Fortra declined to comment beyond what was disclosed in Monday’s SEC filing.

Last week, security firm Huntress reported that the breach experienced by one of its customers was the result of exploiting a vulnerability in GoAnywhere, most likely CVE-2023-0669. The leak occurred on his February 2nd, when Krebs posted an undisclosed recommendation to his Mastodon.

According to Huntress, the malware used in this attack was an updated version of a family called Truebot used by a threat group called Silence. Silence, on the other hand, has ties to a group tracked as his TA505, which is a ransomware group, he has ties to Clop.

“Based on the observed behavior and previous reports, the activity Huntress observed was aimed at deploying ransomware, with the potential for further opportunistic exploitation of GoAnywhere MFT for the same purpose. We can conclude with some degree of certainty,” writes Huntress researcher Joe Slowwick.

Further evidence that Clop was responsible came from Bleeping Computer. Last week, the publication said a Clop member was responsible for hacking 130 organizations using his CVE-2023-0669, but provided no evidence to support that claim.

In their analysis, researchers at security firm Rapid7 described the vulnerability as a “pre-authentication deserialization issue” with a “very high” exploitability and attacker value rating. To exploit this vulnerability, an attacker would need either network-level access to her GoAnywhere MFT’s administrative port (port 8000 by default) or the ability to target an internal user’s browser.

Given the ease of attack and the successful release of proof-of-concept code that exploits the critical vulnerability, organizations using GoAnywhere should take this threat seriously. Of course, patching is the most effective way to prevent attacks. A quick fix that GoAnywhere users can take if a patch cannot be applied immediately is to restrict network-level access to the admin port to the fewest possible users, and prevent browser users from accessing vulnerable endpoints. is to remove their web.xml files.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *