In early February, Procter & Gamble (P&G), the consumer goods giant, confirmed a data breach on its GoAnywhere MFT platform, which resulted in the theft of some employee data. Fortunately, P&G assures that the hackers were unable to access their workers' financial and social security information, and customer data remained untouched. However, the breach was part of an ongoing extortion campaign by the Clop ransomware gang, who targeted Fortra GoAnywhere secure storage servers worldwide. Using a zero-day exploit of the CVE-2023-0669 vulnerability, the Clop group successfully breached the secure storage servers of over 130 organizations. The group has a history of ransomware attacks since 2019, targeting Software AG IT, Maastricht University, ExecuPharm, and Indiabulls, among others.

Details of the Data Theft Attack

The hackers targeted the GoAnywhere MFT secure file-sharing platform, which is designed to protect the data transfer process and ensure that sensitive information is not intercepted by unauthorized parties. The attack was possible due to a zero-day vulnerability in the software exploited by the Clop ransomware gang. The vulnerability allowed the attackers to bypass security measures and gain access to sensitive information stored on the platform.

The Clop ransomware gang claims that it stole data from over 130 organizations, including healthcare giant Community Health Systems, Hatch Bank, and the City of Toronto, after exploiting the GoAnywhere vulnerability. The group allegedly stole the data over ten days after breaching Internet-exposed servers vulnerable to exploits targeting this bug.

P&G Response

P&G immediately took action after discovering the attack, disabling the use of the vendor's services and notifying employees. The company has also confirmed that it stopped using Fortra's GoAnywhere secure file-sharing services after discovering the incident.

The company has confirmed that the data that was obtained by the unauthorized party did not include information such as social security numbers or national identification numbers, credit card details, or bank account information. P&G has stated that its business operations are continuing as normal.

Clop Ransomware Resurfaced

The GoAnywhere zero-day vulnerability exploited by the Clop ransomware operators has affected any organizations worldwide. The attack highlights the importance of using secure file-sharing platforms and the need for organizations to stay up-to-date with the latest security updates and patches.

It also highlights the need for organizations to ensure that their employees are trained to recognize potential security threats and the importance of reporting suspicious activity to their IT departments.

As the number of cyberattacks continues to rise, organizations must take proactive measures to protect their data and systems. Failure to do so could result in significant financial losses, damage to the organization's reputation, and loss of customer trust.