City of Toronto and Cineplex Compromised by Clop Ransomware
The City of Toronto and Cineplex have been compromised by Clop Ransomware.
Background
Both were compromised through the GoAnywhere file transfer software made by Fortra. GoAnywhere was found to have a zero-day remote code injection vulnerability in the administrative console at the beginning of February. If exploited, the vulnerability can lead to unauthorized information disclosure. The vulnerability exists in both the on-premise and SaaS versions of the software, and was widely reported on Feb 3. The vulnerability is being tracked as CVE-2023-0669.
Due to the critical nature of the vulnerability, Fortra chose to shut down the SaaS version while they resolve the issue. A few days later, on Feb 6, a security researcher released proof-of-concept exploit. An emergency patch was released on Feb 7, and Fortra urged customers to patch as soon as possible, but not before the breaches started coming in. Throughout the rest of February and into March, Clop leveraged the vulnerability to compromise hundreds of organizations, including Procter and Gamble, Hitachi Energy, and Saks Fifth Avenue, the latest being the City of Toronto and Cineplex, which are much closer to home.
Clop has listed City of Toronto on its list of victims, and the City has since confirmed this breach.
What You Need to Do
Fortra has released a patch for GoAnywhere to mitigate the vulnerability, other mitigation methods, and steps to check your systems for compromise:
Apply patch GoAnywhere 7.1.2
Limit access to the GoAnywhere administrative console based on IP
Disable the licensing server (the vulnerable component) by commenting out or delete the servlet and servlet-mapping configs for the License Response Servlet in the web.xml file, then restart
Revoke/reset/rotate any credentials that integrates GoAnywhere with external systems
Review indicators of compromise from GoAnywhere
Review audit logs and delete any suspicious admin and/or web user accounts
Contact support via the portal https://my.goanywhere.com/, email goanywhere.support@helpsystems.com, or phone 402-944-4242 for further assistance.
References
https://www.bleepingcomputer.com/news/security/goanywhere-mft-zero-day-vulnerability-lets-hackers-breach-servers/
https://nvd.nist.gov/vuln/detail/CVE-2023-0669
https://www.bleepingcomputer.com/news/security/exploit-released-for-actively-exploited-goanywhere-mft-zero-day/
https://www.bleepingcomputer.com/news/security/actively-exploited-goanywhere-mft-zero-day-gets-emergency-patch/
https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day/
https://www.bleepingcomputer.com/news/security/city-of-toronto-confirms-data-theft-clop-claims-responsibility/