Hitachi Energy Latest Victim of Clop GoAnywhere Attacks

Third-party risk management, security breach notification, cybercrime

Attackers exploit a zero-day vulnerability in Fortra’s managed file transfer software

Prajeet Nair (@prajeetspeaks) •
March 18, 2023

Hitachi Energy is latest victim of Clop GoAnywhere attacks

Hitachi Energy is among the victims of the Clop ransomware group, which exploited a zero-day vulnerability in Fortra’s widely used managed file transfer software, GoAnywhere MFT. Clop claimed responsibility for the hack, which compromised networks of 130 different organizations.

See also: OnDemand Webinar | Third-Party Risk, ChatGPT, and Deepfakes: Defending Against Today’s Threats

Hitachi Energy, a subsidiary of the Japanese tech giant, confirmed on Friday that ransomware group Clop exploited a flaw in Fortra’s GoAnywhere file transfer software that could have led to unauthorized access to employee data in some countries.

“Upon learning of this incident, we immediately took action and launched our own investigation, disconnected the third-party system and hired forensic IT professionals to help us analyze the nature and scope of the attack,” the company said in a notification letter about data breaches.

The company says it is informing affected employees and has notified the relevant data protection, security and law enforcement authorities.

“According to our latest information, our network operations or the security of customer data have not been compromised. We will continue to update the relevant parties as the investigation progresses,” the statement said.

Cybersecurity analyst and security researcher Dominic Alvieri first reported about the breach in the company. Hitachi Energy owns power grids and wind farms in Italy and Finland, among others, and offers its solutions in more than 140 countries.

A spokesman for Hitachi Energy was not immediately available to provide further details.

The incident followed a breach at cybersecurity software giant Rubrik, which also fell victim to attackers exploiting the same vulnerability. Headquartered in Palo Alto, California, Rubrik is one of the industry’s largest data resiliency platforms. The company helps customers recover data after a system crash or being deleted by attackers (see: Rubric breached by zero-day attack exploiting GoAnywhere).

Hackers used a bug in GoAnywhere file transfer software to access a non-productive IT test environment at Rubrik, the company said in a data breach notification on Tuesday.

The vulnerability exploited by attackers is known as CVE-2023-0669 and exists in Windows and Linux versions of managed file transfer software prior to 7.1.2.

Fortra, formerly known as HelpSystems, has more than 3,000 organizations as customers.

The vulnerability in GoAnywhere MFT is a remote code execution flaw before authentication that could allow attackers to exploit the flaw and remotely execute code of their choice without first having to authenticate into the GoAnywhere MFT administration console.

For the attack to be successful, the management console must be available on the Internet. The first known attacks to exploit the flaw began on January 25th. On February 1, Fortra issued a safety alert and damage control instructions. On February 7th, it released version 7.1.2 of GoAnywhere MFT, which fixes the bug.

The US Agency for Cybersecurity and Infrastructure Security and other federal agencies have urged all GoAnywhere MFT users to immediately update their software or use workarounds to mitigate the vulnerability (see: Authorities warn healthcare sector of ongoing Clop threats ).


Leave a Reply

Your email address will not be published. Required fields are marked *