ERGO Group parent Munich Re, Virgin Red, and several other companies have confirmed they were attacked via Fortra’s GoAnywhere vulnerability. However, they don’t appear all that rattled, with one victim even telling Cybernews that the threat actors took only “meaningless content.”
Cl0p’s attack spree had dominated the headlines since last week, when cybercriminals announced they penetrated the defenses of over 130 companies using a zero-day vulnerability in Fortra’s GoAnywhere MFT file-sharing platform.
On March 23 alone, Cl0p added close to 40 names, such as Procter & Gamble (P&G), on its dark-web blog, used to publicize the latest victims. However, the impact of the attacks remains disputed as some companies downplay the value of data that the attackers took.
Russia-linked Cl0p claimed it breached Virgin, a multi-billion-dollar British conglomerate. However, the company told Cybernews the attack only involved Virgin Red, Virgin Group’s rewards club, and not the group itself.
“Indeed, Munich Re has identified an information security incident at an external service provider, but we have no contractual relationship with the company affected. For test purposes, only test files with meaningless content were sent”
Munich Re told Cybernews.
“We were recently contacted by a ransomware group, calling themselves Cl0p, who illegally obtained some Virgin Red files via a cyberattack on our supplier, GoAnywhere. The files in question pose no risk to customers or employees as they contain no personal data,” the company told Cybernews.
Another Cl0p victim, German multinational insurance company and ERGO Group parent company Munich Re also confirmed a security incident related to “an external service provider.”
However, the German insurer with revenues exceeding $50 billion said it had no contractual relationship with the company and was prepared to deal with the security issue.
“Indeed, Munich Re has identified an information security incident at an external service provider, but we have no contractual relationship with the company affected. For test purposes, only test files with meaningless content were sent,” the company told Cybernews.
American education company Pluralsight, also added to Cl0p’s list of victims on March 23, likewise confirmed the attack but appeared to shrug it off, saying that the company’s “products and infrastructure were not affected by this incident.”
Pluralsight representative told Cybernews that the company did use GoAnywhere but had severed all ties with the product after Fortra informed it of the incident.
“When Forta informed us of this incident, we immediately discontinued use of the product and notified all of our affected customers and explained the potential risks to their data,” Pluralsight told Cybernews.
The UK’s Pension Protection Fund (PPF), a statutory organization intended to protect pension schemes across the country, was also recently breached but pointed out that the organization’s systems were not affected.
“We can confirm that a breach of one of our suppliers has taken place, [but] our own systems are unaffected and remain secure,” the company told Cybernews.
However, PPF issued a separate statement saying that the GoAnywhere attacks exposed data of some of its current and former employees.
Another supposed Cl0p victim, high-end jet manufacturer Bombardier Aviation, told us that the company has confirmed that the breach did not result in loss of any new data.
“Bombardier is aware and has validated this [is] not a new data breach, and is a reposting of the previously reported 2021 breach,” the company’s spokesperson explained to Cybernews.
Cl0p recently claimed dozens of victims on its blog, citing the zero-day bug found on Fortra’s GoAnywhere managed file transfer. Shell, Hitachi, Hatch Bank, Stanford University, Rubrik, Virgin, and many others are among the claimed victims.
Cl0p ransomware has been around since 2019. The gang has also been at the forefront of the ransomware world, with estimated payouts reaching $500 million in November 2021.
Even though the gang stopped operations following the arrest of its several affiliates in late 2021, Cl0p came back to life earlier this month. Since then, the gang has been on a spree, reportedly adding multiple victims each day.
The use of the GoAnywhere zero-day flaw was confirmed by the cybercriminals themselves, adding the vulnerability was used to supposedly breach 130 organizations.
Experts believe the gang’s openness about using the zero-day bug point to the tool being obsolete. The gang might have created a smokescreen by pushing security teams to frantically look for exposed systems while attempting to move laterally or abuse other vendors.
Your email address will not be published. Required fields are markedmarked