Several major enterprises fell victim to threat actors who started exploiting a zero-day vulnerability in Fortra’s GoAnywhere file-sharing software in late January.

On January 30, Fortra (formerly known as HelpSystems) became aware of a zero-day vulnerability impacting its GoAnywhere MFT (managed file transfer) software.

In response, the vendor issued a private advisory exclusively to authenticated users on February 1, alerting them about the ongoing cyberattack and the risks of exposing the administrative console to the web.

The following day, security journalist Brian Krebs disclosed the vulnerability publicly, which remained unassigned a CVE ID or patched until February 7.

Clop Gang told the Bleeping Computer that “they used the flaw over ten days to steal data from 130 companies.”

Although these claims were not supported by an official statement from Fortra back then, large enterprises have since come forward and confirmed the zero-day attack had taken over company data in some capacity.

With the “threat actors slowly leaking data from companies while demanding million-dollar ransoms,” it has quickly become of the most high-profile cyberattacks of the year.

Sustainable energy company Hitachi Energy, California-based digital bank Hatch Bank, cybersecurity firm Rubrik, and healthcare provider Community Health Systems have all confirmed being impacted by the GoAnywhere attack.

Speaking to SecurityWeek, the City of Toronto confirmed that an incident with a third-party vendor had led to some data being compromised.

Some of the major enterprises affected by the exploit, which have recently come forward, include Proctor & Gamble (P&G), Saks Fifth Avenue, Pluralsight, and Pension Protection Fund.

The Virgin Group was even contacted by the threat actors, claiming to have “illegally obtained some Virgin Red files via a cyber-attack on our supplier, GoAnywhere.”

Community Health Systems (CHS) disclosed on March 7 that it launched a data breach investigation following notification from Fortra about a security incident impacting the MFT software.

The US-based healthcare provider, operating 79 hospitals in 16 states, said that the investigation has found that patient information, a small amount of employee information, and other individual data may have been compromised.

The stolen data includes Social Security numbers, names, addresses, medical billing, and insurance data, as well as diagnoses and medication details, among other sensitive information.

The Clop gang’s reported exploitation of a GoAnywhere MFT zero-day to extract sensitive files from secure sharing servers is similar to their use of an Accellion FTA zero-day vulnerability to steal data from approximately 100 companies in December 2020.

The hacker gang has also been linked to ransomware attacks since 2019, targeting victims such as Software AG IT, Maastricht University, ExecuPharm, and Indiabulls.