Ransomware Gang Uses New Zero-Day To Steal Data On 1 Million Patients

Community Health Systems (CHS), one of the largest healthcare providers in the United States with close to 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to 1 million patients. TechCrunch reports: The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stems from its use of a popular file-transfer software called GoAnywhere MFT, developed by Fortra (previously known as HelpSystems), which is deployed by large businesses to share and send large sets of data securely. Community Health Systems said that Fortra recently notified it of a security incident that resulted in the unauthorized disclosure of patient data. "As a result of the security breach experienced by Fortra, protected health information and personal information of certain patients of the company's affiliates were exposed by Fortra's attacker," according to the filing by Community Health Systems, which was first spotted by DataBreaches.net. The healthcare giant added that it would offer identity theft protection services and notify all affected individuals whose information was exposed, but said there had been no material interruption to its delivery of patient care.

CHS hasn't said what types of data were exposed and a spokesperson has not yet responded to TechCrunch's questions. This is CHS' second-known breach of patient data in recent years. The Russia-linked ransomware gang Clop has reportedly taken responsibility for exploiting the new zero-day in a new hacking campaign and claims to have already breached over a hundred organizations that use Fortra's file-transfer technology -- including CHS. While CHS has been quick to come forward as a victim, Clop's claim suggests there could be dozens more affected organizations out there -- and if you're one of the thousands of GoAnywhere users, your company could be among them. Thankfully, security experts have shared a bunch of information about the zero-day and what you can do to protect against it. Security researcher Brian Krebs first flagged the zero-day vulnerability in Fortra's GoAnywhere software on February 2.

"A zero-day remote code injection exploit was identified in GoAnywhere MFT," Fortra said in its hidden advisory. "The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS)."

GoAnywhere MFT just to funny

[oldgraybeard]

GoAnywhere MFT supports secure file transfers in the cloud, either your cloud platform or our MFTaaS option. Sure seems like an additional attack vector layered into your infrastructure which is controlled by a 3rd party.

Easily connect to the external cloud and web applications you use every day. Use GoAnywhereâ(TM)s out-of-the-box Cloud Connectors

I really like the free version that has an ftp client! What is next? Everyone securely telnet'ing in to their cloud infrastructure?
Who would choose to use this?

wait TaaS (telnet as a service) lets do a new startup.

Re:

[Mr0bvious]

Numpties..

That's who.

Privacy & Secruity is a myth in the 21st centu

[Hey_Jude_Jesus]

If it is accessible on the Internet it is NOT secure.

Re:

[Moryath]

In a rare moment... I agree with the perspective of a clearly fake account with a 6-million-count UID#. Cybercriminals generally are wastes of otherwise usable water (35 L), carbon (20 kg), ammonia (4 L), lime (1.5 kg), phosphorus (800 g), salt (250 g), saltpeter (100 g), sulfur (80 g), fluorine (7.5 g), iron (5 g), silicon (3 g) and trace amounts of fifteen other elements. [fandom.com]

"New zero day"

[Tony Isaac]

Every "zero day" vulnerability is by definition...new.

Re:

[CaptQuark]

New Zero Day sounds better than "previously unannounced zero day that hasn't been around long enough to be just referred to as a known exploit"

Just give the patients Lifelock

[gavron]

Sure, you got hacked because "zero-day" and you thought customer and patient data systems should be on the Internet.

Just give everyone a year of Norton Lifelock. Oh, wait, they got hacked too?

Give them a year of LastPass to protect passwords (but not SSNs, DoBs, addresses, or other personally identifiable private information). Oh, they got hacked too?

Time to get some federal legislation. If you got hacked and there was no good reason for the data to be accessible to the world, you pay. A lot. Not $12. Not $7. Not $5 like Experien paid me when they were hacked. A lot. No "free one year subscription" to Norton, Lastpass, Car&Driver, or even Netflix. Just pay me cash because now i have to clean up the mess you made, and there's an actual cost to that.

Corporate greed and lack of desire to have modern security deserves government oversight and fines.

My fridge doesn't need to be on the Internet. Neither should my private information I gave you because i have to because you employ my doctor/mechanic/roofer/tradesman.

E

Re:

[cmseagle]

It sounds like you'd advocate going back to the days where the only way for a patient to obtain access to their medical record was to go to the clinic and beg someone to take the time to make photocopies (or, better yet, fax them to you).

There are downsides to medical records being accessible electronically. There are downsides to them being totally locked down. As with most things, you have to do a cost/benefit analysis before categorically declaring that the data shouldn't ever be accessible over the i

Where's the ransom?

[Tony Isaac]

Aren't ransomware gangs supposed to demand...a ransom? The article doesn't talk about any demands. What was the group's goal? To sell the data? If so, that wouldn't be ransomware, that would be just a data breach for profit.

Re:

[Voyager529]

Aren't ransomware gangs supposed to demand...a ransom? The article doesn't talk about any demands. What was the group's goal?

Just speculation here, but one reasonable explanation would be that they *generally* do the ransomware thing, but they may have discovered that this particular victim either had damn good backups in place.

Alternatively, this being a very large health care provider, they could have shifted their strategy. "We're down because we got hacked" affects patient care, and they may have had just enough of a conscience to not turn hospital patients into victims like happened at the UK's NHS...or they may have learned

Re:

[Tony Isaac]

Of course, these are all possibilities. It would have been nice if the article explained this. Instead, it called the group a "ransomware" gang, probably because that's the scariest term out there right now, that will generate the most clicks. If the gang has morphed, then the term "ransomware gang" no longer applies. They are just a gang.

hear me out

[gTsiros]

if i can click some buttons, push some keys, while in my underpants sipping a room temperature dr pepper
and manage to get there even though i shouldn't
it means you shouldn't be using computer networks to handle data

stick to pen and paper

Ironic symmetry

[Bob_Who]

These demands may be proportional to the shock an awe one million patients experience when their survival must meet the outrageous costs demanded of them without negotiation. Now I bet they'll see the value of negotiating price..