The IT Nerd

There has been a rash of attacks via a vulnerability in Fortra’s GoAnywhere MFT tool. And the results are far reaching. The latest victim to have disclosed that they have been pwned via this vulnerability is Brightline, which provides virtual coaching and therapy to children. They posted the disclosure on their website:

While Fortra’s investigation is ongoing, we understand that on January 30, 2023, Fortra was made aware of suspicious activity within certain instances of its GoAnywhere MFT service. Through its investigation, Fortra states that it identified a previously-unknown vulnerability which an unauthorized party used to gain access to certain Fortra customers’ accounts and download files, including ours.

Fortra informed us about the security vulnerability in their GoAnywhere MFT service on February 4, 2023. We took swift action the same day in response to the notice. Our investigation determined the incident was limited solely to the Fortra service and did not impact our own network.  Fortra also promptly notified law enforcement and is cooperating with their investigation of the Fortra incident.

Subsequently, we determined that the unauthorized party acquired certain files that were saved in the Fortra service. After making this determination, we immediately began to analyze the files to determine which individuals and data had been affected. As part of that analysis, it was determined that those files contained a limited amount of protected health information.  We then began notifying the Covered Entities of the incident.

And:

Based on the investigation, we identified a limited amount of protected health information/personal information in the files that the unauthorized party acquired, potentially including some combination of the following data elements: individuals’ names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names. Please see here for a list of impacted entities. Note: Aetna member IDs were not compromised as a result of this incident.

Yikes! That’s far from trivial and not good. Ani Chaudhuri, CEO, Dasera:

The recent data breach involving Brightline, a pediatric mental health provider, is a stark reminder of the importance of data security in the healthcare industry. While it is disheartening to learn that such a vital service provider has been targeted, this incident should serve as a call to action for organizations to strengthen their data protection measures.

It is essential to recognize that Brightline promptly addressed the breach, taking immediate steps to investigate and mitigate the impact of the incident. Their efforts to enhance security measures, rebuild their service, and reduce data exposure demonstrate a commitment to protecting their patients’ information. However, the fact remains that even the most well-intentioned organizations can fall victim to cyberattacks.

As a data security company, we understand organizations’ challenges in safeguarding their sensitive information. In this rapidly evolving landscape, companies must invest in robust data security solutions and work closely with experts to ensure they are prepared for emerging threats.

Moreover, it is vital for organizations to regularly assess their data security infrastructure and implement necessary updates and patches to address vulnerabilities. As the ransomware gang exploited a zero-day vulnerability in this case, it highlights the importance of staying informed about potential risks and swiftly mitigating them.

We empathize with Brightline and the affected individuals, understanding the stress and potential harm such breaches can cause. To assist those impacted, offering complimentary identity theft and credit monitoring services is a commendable step by Brightline. Organizations must prioritize their clients’ well-being and offer support during these challenging times.

While the Brightline data breach is unfortunate, it is a critical reminder for organizations to prioritize data security and invest in necessary measures to protect sensitive information. Collaboration between organizations and data security companies is essential to safeguard against threats and minimize the impact of breaches on the lives of those affected.

I suspect that there are more companies who use GoAnywhere are going to step forward and say that they have been pwned. Which will massively increase the scale of this vulnerability to something that could be an Earth shattering event in the cybersecurity space.

Yesterday, the city of Dallas announced that a number of its servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website which has been taken offline and 911 dispatchers are having to write down calls for officers rather than using the computer dispatch system.

CBS News Texas obtained an image the ransomware note. The hackers, a group called Royal, claim that they encrypted the city’s critical data, and threatened to post sensitive information online.

Officials are working to contain the spread to other city computer systems and, while there were reports of other governmental computer outages, there seems to be limited impact on city operations affecting residents.

While large, American cities such as Dallas, Baltimore, Oakland, Washington DC, to name a few, continue to experience impactful outages, it highlights a larger concern of the caliber of cybersecurity these municipalities have in place.

“We commonly find [state and local governments’] security posture to be weaker than that of the average corporate company. This is not due to a lack of concern, but rather a lack of resources and manpower to address the ever-growing challenges of cybersecurity,” Quentin Rhoads-Herrera, a Dallas-based cybersecurity executive, told CNN.

I have a three comments on this. Starting with Kevin Hanes, CEO, Cybrary:

   “Sounds familiar (ATL). For all the folks who are responding and trying to figure out the what, how, why, and now what?…as terrible as it is this will pass and you can come out of it stronger. It’s challenging but you have to stay positive and take care of one another as stress and no sleep will take its toll on everyone.”

Stephen Gates, Principal Security SME, Horizon3.ai follows up with this:

   “Most successful ransomware attacks are primarily due to hidden vulnerabilities that have laid dormant within the inner bowels of a network for some time. This endemic problem plaguing American cities (and elsewhere) will never be resolved until organizations accept the fact that yes, they are completely vulnerable to ransomware attacks. The problem, however, is that they often have no idea where those vulnerabilities lie.

   “It is imperative to get ahead of the game and find the vulnerabilities yourself by attacking your internal network the same way an attacker will. This is not a one-and-done proposition since you’ll never be able to manage your risk daily if you don’t know where you’re vulnerable. As a result, automated AI-driven tools are readily available to perform that continuous function for you today.”

Finally Roy Akerman, Co-Founder & CEO, Rezonate had this to say:

   “Local government offices continue to be a target for ransomware groups as we’ve seen for the past couple of years. For the most part, their infrastructure is outdated, their controls are not tuned and therefore, in the case of a compromise, the impact is greater than it should be resulting in a complete disruption of operations.

   “The Royal ransomware group has been known to use a mix of old and new techniques to lure victims to install a remote desktop malware from which they can extend reach and encrypt critical files. Controls against Ransomware threats must be implemented as well as practices to contain and recover without paying the ransom.”

Local governments really need to focus on not being a “target rich environment” for threat actors by improving their security posture. That’s the only way that situations like this will become less likely to happen.