The City of Toronto has acknowledged today that a third-party vendor did provide unlawful access to Municipal data in the City of Toronto. Access is only permitted for files that cannot be transferred securely to a third party. A city spokesperson, Alex Burke, stated, “The City is actively researching the specifics of the detected files.” After identifying the city as an organization that utilized the GoAnywhere file transfer program at the time of the ransomware assault. There was “no exfiltration of internal data, nor resident data,” according to the city’s study.
Many businesses that utilized the compromised GoAnywhere file transfer software at the time of the hack have been identified, indicating that additional victims are likely to come forward. The dark web leak site that the Russia-linked Clop gang uses to further blackmail businesses by threatening to disclose the stolen files unless a monetary ransom demand is met has recently added dozens of additional firms to it.
The largest financial institution in Canada, Investissement Québec, a ransomware organization, recently took “certain employee personal information” and claimed to have penetrated dozens of other businesses. According to spokeswoman Isabelle Fontaine, the issue happened at Fortra, formerly HelpSystems, which creates the risky GoAnywhere file transfer program.
In a related incident utilizing its GoAnywhere system, Hitachi Energy acknowledged this week that some of its employee data had been stolen, although it claimed the event occurred at Fortra. Although the number of victims of the major hack is growing, its impact is, at best unclear.
Clop Used GoAnywhere In The Attack On The City Of Toronto
Since the assault in late January or early February, Clop claimed to have infiltrated 130 organizations; the precise date is uncertain. Clop used a system called GoAnywhere, which can be hosted in the cloud or on a company’s network and enables businesses to transfer large sets of data and other large files securely.
Fortra, which has yet to make any statements about the event publicly, is aware of whose clients are impacted. Prior to publication, when contacted by email, Fortra spokespeople Mike Devine and Rachel Woodford refused to comment or respond to any of our inquiries, including whether the company’s internal GoAnywhere systems that host customers’ data were also hacked in bulk.
Details of the bug, which Fortra had concealed behind a login screen on its website, were only made public on February 2 after independent security reporter Brian Krebs published his initial report. Five days later, on February 7, Fortra made security updates available for GoAnywhere. By that time, the hackers had already stolen countless victims’ data.
Community Health Services, one of the largest healthcare providers in the US, was the first to disclose that it was one of the 130 supposedly hacked companies, stating that their compromised GoAnywhere system had been used to steal the health information of at least 1 million patients. Cybersecurity juggernaut Rubrik was the second to announce a breach linked to the GoAnywhere issue, followed by digital finance goliath Hatch Bank. The list continues to grow.
Clop may be aware of the data it has obtained in its cyber-smash-and-grab. Some businesses known to use GoAnywhere have just been added to Clop’s leak site. Many others stated that they weren’t impacted.
One of Clop’s most recent additions is the payment software startup AvidXchange. Simultaneously, it uses GoAnywhere to send files to a particular business that prints its checks; the business does not store any data on Fortra’s platform.
Olivia Sorrells, a representative for AvidXchange, said that “our forensics further prove our conclusion on this matter.” The spokesman stated that “the week the [vulnerability] was revealed, Fortra alerted AvidXchange of the vulnerability, repair, and the results of their investigation into AvidXchange’s GoAnywhere account.” As GoAnywhere learned about the issue, it “took AvidXchange’s instance down to further prevent unauthorized access to the platform.”
The world’s largest department store Saks Fifth Avenue, which was just added to Clop’s leak site, the hackers used the GoAnywhere vulnerability to extract fictitious client information from its systems. According to Saks spokesperson Nicola Schoenberg, “the mock customer data does not include genuine customer or payment card information and is only used to simulate client orders for testing purposes.”
When asked if their GoAnywhere systems, which Fortra most likely hosts, were impacted, other companies recently added to Clop’s website declined to respond.
That includes child mental health startup Brightline, whose CEO Naomi Allen deferred to spokesperson John O’Connor, who declined to comment; Swiss pharmaceutical giant Galderma, whose spokesperson Christian Marcoux declined to answer our questions; healthcare call center provider ITx Companies, whose CEO Philip Gower declined to comment; events planner Emerald Expositions, whose spokesperson Beth Cowperthwaite declined to comment; and MedMinder, whose spokesperson Stacy declined to comment.
As noted by TechCrunch, Clop has made available samples of the allegedly stolen data from Onex, including W-9 tax forms, payment orders, and employee data such as names, genders, and email addresses. Requests for comment from Onex still need to be answered.
Other known GoAnywhere users include Canadian rehab and mental health provider Homewood Health, English affordable housing provider Guinness Partnership, retail banking firm Avidia Bank, Medex Healthcare, Cornerstone Home Lending, and Colombian energy giant Grupo Vanti, did not reply to multiple requests for comments.
Conclusion
One of the most recent victims is the City of Toronto of the GoAnywhere hacking campaign by the Clop ransomware gang. Using Fortra’s GoAnywhere secure file transfer application, Clop claims it has breached more than 130 firms by taking advantage of a remote code execution issue. Together with the Toronto municipal government, other victims on the list include Pension Protection Fund, a statutory business, and UK’s Virgin Red.
The City of Toronto has been impacted by the Clop ransomware gang’s persistent attacks on businesses utilizing the vulnerably designed GoAnywhere file transfer service. Dominic Alvieri, a threat intelligence expert following the situation and sharing the discovery with BleepingComputer, claims that the ransomware gang had previously identified the victim on its data leak dark web site. “The City of Toronto has now acknowledged that a third-party vendor did provide unlawful access to Municipal data. The access is restricted to files that couldn’t be transferred securely through a third party system.”
