top of page

Zero-Day Vulnerability Used by Cybercriminal Gang to Steal Data of 1M Healthcare Patients

Community Health Systems (CHS), one of the largest healthcare providers in the United States, has confirmed that personal and protected health information of up to 1 million patients was accessed by criminal hackers. The data breach was attributed to a zero-day vulnerability in Fortra's file-transfer software, GoAnywhere MFT, which is used by large businesses to share and send large data sets securely.

Severity of Threat

CHS would offer identity theft protection services and notify all affected individuals whose information was exposed. Clop, a Russia-linked ransomware gang, has reportedly taken responsibility for exploiting the new zero-day in a new hacking campaign and claims to have already breached over a hundred organizations that use Fortra’s file-transfer technology, including CHS. The GoAnywhere vulnerability is considered very high in terms of exploitability, given the sensitivity of the data that companies send through the software. A cybersecurity firm, Huntress, has reported that it investigated an intrusion into a customer’s network involving the exploitation of the GoAnywhere zero-day. It linked the intrusion to a Russian-speaking threat actor that it calls “Silence,” which has links to another group referred to as TA505, a criminal hacking crew that has been active since at least 2016 and is known for targeted campaigns involving the deployment of Clop ransomware.

Protections For Organizations

Fortra has released an emergency patch to fix the zero-day vulnerability in GoAnywhere, urging all its customers to apply the fix as soon as possible. U.S. cybersecurity agency CISA has added the GoAnywhere flaw to its public catalog of known exploited vulnerabilities and has ordered all federal civilian executive branch agencies to patch their systems before March 3. Given that the exploit for the GoAnywhere zero-day is being actively exploited, Huntress expects to see "wider activity" now. Companies are advised to ensure that the GoAnywhere software is fully patched, to run all their applications on the latest version of the software, and to limit access to the administrative console. It is also recommended that companies require multifactor authentication to access the administrative console and to monitor their systems for signs of a breach. If a company is affected, it is advised to take immediate steps to contain the breach, remove the threat actor from their network, and restore from a known good backup. How Orgs Can Prevent Similar Incidents Almog Apirion, CEO and Co-Founder of Cyolo, a secure access provider, shared how healthcare organizations should take action with Zero Trust Access strategies based on this incident:

“Healthcare organizations are unfortunately no stranger to cyberattacks and data breaches. Institutions like Community Health Systems (CHS) are an attractive target for threat actors due to their troves of personal information and their reliance on third parties both for cybersecurity and other aspects of their work.

The reality is that when hackers exploit vulnerabilities in third-party security tools, the lives and privacy of patients are put at risk. Interoperability is vital for successful healthcare delivery, so a Managed File Transfer (MFT) is a needed solution. But when the admin console is accessible via the internet, it’s only a matter of time before data is breached. Any connection to a sensitive data source must be properly managed and secured.

Zero-Trust Access strategies should be employed to support the needed connections, especially between care delivery partners. This is especially useful when critical applications, like MFT, need to be connected to the internet. Having the ability to restrict access and keep the application hidden will go a long way to preventing this type of breach in the future.”



bottom of page