Australian casino giant Crown Resorts has confirmed that the Cl0p ransomware group contacted them to claim the theft of data as part of the GoAnywhere attack. The incident took place in late January when a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) software was exploited to access files belonging to Fortra customers. The exploitation of the bug, tracked as CVE-2023-0669 and patched in early February, was attributed to a Russian-speaking threat actor associated with the Cl0p ransomware, which recently started adding the names of alleged victims to its Tor-based leak site.
The Cl0p ransomware operators have claimed the theft of data from around 130 organizations that used GoAnywhere, with some of them already confirming potential impact, including Community Health Systems, Hitachi Energy, Hatch Bank, Rubrik, Atos, City of Toronto, Procter & Gamble, Pluralsight, Saks Fifth Avenue, UK’s PPF, Virgin Red, and Rio Tinto. Several of the affected organizations informed that the stolen data poses no threat to customers or employees.
Crown Resorts issued a public statement on its website confirming that it was a Fortra customer and that the Cl0p ransomware operators contacted it to claim the theft of company data: “We were recently contacted by a ransomware group who claim they have illegally obtained a limited number of Crown files. We are investigating the validity of this claim as a matter of priority. We can confirm no customer data has been compromised and our business operations have not been impacted. We are continuing to work with law enforcement and have notified our gaming regulators as part of the ongoing investigation and will provide relevant updates, as necessary.”
Crown Resorts, the largest gaming and entertainment group in Australia, operates large complexes in Melbourne, Perth, and Sydney. It was acquired by US private equity firm Blackstone in 2022. German insurer giant Munich Re, which was also added to Cl0p’s leak site, stated that the incident only impacted some test files. “Munich Re currently has no contractual relationship with the company affected. For test purposes, only test files with meaningless content were sent, i.e., containing no business, client or personnel data,” the company said.
Fortra may face a class action suit as a result of the cyberattack, a complaint filed with the US District Court for the District of Minnesota shows. According to the complaint, the company failed to properly secure the MFT service, which led to the January data breach that affected over 139,000 individuals.