Saks 5th Avenue Pwned By Cl0p Ransomware Group

The Cl0p ransomware gang claimed responsibility an attack on Saks 5th Avenue by posting stolen Saks data on its Dark Web site. Threat Analyst Brett Calllow posted the ClOp announcement on Twitter on Monday. 

Saks claims it’s all mock customer data used for training purposes but has not detailed whether it includes corporate information or employee PII.

In response to questions about the breach from Bleeping Computer, the company confirmed that the incident was linked to Fortra (formerly HelpSystems), a Saks vendor: 

“Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks.”

This attack continues Cl0p’s use of the GoAnywhere MFT server vulnerability, CVE-2023-0669, which allows attackers remote code execution on unpatched system if the admin console is exposed to Internet access. Clop told Bleeping Computer just last month that it had breached 130+ organizations in just 10 days using this same vulnerability.

So far no one has confirmed what data was taken or details of any ongoing ransom discussions.

Al Martinek, Customer Threat Analyst at Horizon3ai had these questions regarding this incident:


“Since the start of the Russo-Ukrainian war, we have seen a sharp increase in Russian cyber activity, especially targeting NATO, US allies, and US critical infrastructure globally. Russian state-sponsored and backed cyber threat actors have used the Ukrainian cyber landscape to hone their skills, as well as their tactics, techniques, and procedures (TTPs). 

“The recent attack on the US-based Community Health Systems (CHS) and large US-based Retailer shows that the Russian-linked ransomware group Cl0p exploited the GoAnywhere MFT zero-day vulnerability (CVE-2023-0669) to gain access and steal data; and has reportedly targeted over 130 organizations worldwide. Although not confirmed, Clop has conducted such attacks in the past with the goal of disrupting daily organizational cyber activity, stealing sensitive data, and finding other opportunistic ways to disrupt or deploy further attacks.

So what?

“Zero-day vulnerabilities will continue to plague organizations and could have severe consequences. Although cyber threat actors generally attack larger organizations, every business regardless of size can be a target for zero-day vulnerabilities. With the continued presence of Russia in Ukraine, we will continue to see Russian state-sponsored and backed groups take responsibility for zero-day attacks, bolstering their credibility while targeting US interests worldwide to gain support. Zero-day threat actors do not fit into a one size fits all category, and attack vectors change from group to group with differing TTPs.

Now what?

“These types of vulnerabilities occur with little to no warning, making them a major cybersecurity threat as they are difficult to predict or protect against. Currently, 3% of customers from across different industries and sectors to include energy, retail, medical, and financial use GoAnywhere MFT in their environments. 

“The best way to proactively protect against zero-day vulnerabilities it to ensure all systems and networks devices are updated to the most current software, and by using autonomous penetration testing software, such as NodeZero, to help companies stay ahead of possible vulnerabilities in their cyber environment. Additionally, implementing a regular cadence of pentesting within an environment with NodeZero helps find vulnerabilities and issues quickly, suggests mitigations and fix actions, and allows for instant verification of said fix actions.”

I fully expect more details to come out as Saks needs to explain more than it has to date as simply saying that this was “mock data” really doesn’t quite meet the standard of disclosing the details of this incident. The fact is that there needs to be a very detailed accounting of what was actually taken by the threat actors, and what they will do to make sure that it doesn’t happen again.

Leave a Reply

%d bloggers like this: