The City of Toronto has confirmed unauthorized access to its data, with the Clop ransomware gang claiming responsibility for the breach. The attack is part of the ongoing GoAnywhere hacking spree targeting organizations running the vulnerable GoAnywhere file transfer utility. Other victims listed alongside the Toronto city government include UK's Virgin Group and the statutory corporation, Pension Protection Fund. By exploiting a remote code execution flaw in Fortra's GoAnywhere secure file transfer tool, Clop claims it has managed to breach more than 130 organizations thus far.
"On March 20, the City became aware of potential unauthorized access to City data," a City of Toronto spokesperson told the media. "Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third party vendor. The access is limited to files that were unable to be processed through the third party secure file transfer system." The spokesperson stated that the City government is actively investigating the details of the identified files. "The City of Toronto is committed to protecting the privacy and security of Torontonians whose information is in its care and control and successfully wards off cyber attacks on a daily basis."
Toronto is among Clop's growing list of victims running vulnerable versions of a Fortra (formerly HelpSystems) program called GoAnywhere. The flaw, now tracked as CVE-2023-0669, enables attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to Internet access. Fortra had previously disclosed to its customers that the vulnerability had been exploited as a zero-day in the wild and urged customers to patch their systems.
In February, Clop claimed it had breached 130+ organizations and stolen their data over the course of ten days by exploiting this particular vulnerability on enterprise servers. Since then, the list of victims continues to grow on a daily basis. This month, Hitachi Energy, Saks Fifth Avenue, and cybersecurity company Rubrik disclosed the impact from Clop resulting from the same zero-day.
Clop's victims from this week also include UK's Virgin Red, Virgin Group's rewards club that lets customers earn and spend points across Virgin businesses, such as Virgin Atlantic, and other partner organizations. "We were recently contacted by a ransomware group, calling themselves Cl0p, who illegally obtained some Virgin Red files via a cyber-attack on our supplier, GoAnywhere," a Virgin spokesperson said. "The files in question pose no risk to customers or employees as they contain no personal data."
Another organization to confirm an impact from the file transfer software vendor is UK's Pension Protection Fund (PPF), a statutory public corporation that is accountable to the UK Parliament through the Secretary of State for the Department for Work and Pensions. In PPF's case, the ransomware and extortion group has managed to get its hands on employee data. "Regrettably some of our current and former employees have been affected by the potential breach," announced the organization in a statement. "We have already advised all of those affected of the situation and offered our support and additional monitoring services to help them." PPF has stopped using GoAnywhere since and continues to work closely with Fortra, its security partners, and the law enforcement agencies as a part of investigatory activities.
Organizations running the vulnerable GoAnywhere secure file transfer utility should patch their systems as soon as possible to safeguard themselves from such cyber attacks.