Hatch Bank discloses data breach after GoAnywhere MFT hack

Data theft

Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of almost 140,000 customers from the company’s Fortra GoAnywhere MFT secure file-sharing platform.

Hatch Bank is a financial technology firm allowing small businesses to access bank services from other financial institutions.

As reported by TechCrunch, data breach notifications sent to impacted customers and filed with Attorney General’s offices warned that hackers exploited a vulnerability in the GoAnywhere MFT software to steal the data of 139,493 customers.

“On January 29, 2023, Fortra experienced a cyber incident when they learned of a vulnerability located in their software,” warned the Hatch Bank data breach notification.

“On February 3, 2023, Hatch Bank was notified by Fortra of the incident and learned that its files contained on Fortra’s GoAnywhere site were subject to unauthorized access.”

Hatch says they conducted a review of the data that was stolen and determined that that customers’ names and social security numbers were stolen by the attackers.

The bank added that it is providing free access to credit monitoring services for twelve months to affected individuals.

This is the second confirmed data breach caused by the GoAnywhere MFT attacks, with the first one disclosed by Community Health Systems (CHS) last month.

​Clop ransomware gang behind GoAnywhere breaches

While Hatch Bank did not disclose what threat actor conducted the attack, the Clop ransomware gang told BleepingComputer that they were behind these attacks and had stolen data from over 130 organizations.

The ransomware gang says they utilized the zero-day vulnerability in Fortra’s GoAnywhere MFT secure file-sharing platform to steal data over ten days.

The vulnerability is now tracked as CVE-2023-0669 and is a remote code execution vulnerability allowing remote threat actors to access servers. GoAnywhere disclosed its vulnerability to customers in early February after learning it was being actively exploited in attacks.

An exploit was publicly released for the vulnerability a day before the platform received an emergency patch on February 7th.

BleepingComputer could not independently confirm Clop’s claims that they were behind the attacks, and Fortra never replied to our emails.

However, Huntress Threat Intelligence Manager Joe Slowik also found links between the GoAnywhere MFT and TA505, the hacking group known for deploying Clop ransomware.

Clop is known for using a similar tactic in December 2020, when they exploited a zero-day vulnerability in Accellion’s File Transfer Appliance (FTA) system to steal data from companies worldwide.

Like GoAnywhere MFT, Accellion FTA allows organizations to share files with their customers securely.

As part of these attacks, the Clop ransomware gang attempted to extort victims by demanding a $10 million ransom to prevent the stolen data from being published.

The Accellion FTA attacks caused widespread damage, with numerous organizations disclosing related breaches, including Morgan Stanley, Qualys, energy giant Shell, supermarket giant Kroger. Multiple universities worldwide were also affected, including Stanford Medicine, University of Colorado, University of Miami, and the University of California.

While it is unknown if Clop is demanding similar ransoms to victims of the GoAnywhere MFT attacks, if the gang follows similar tactics, we will begin to see stolen data appear on their data leak site in the future.


Related posts

Google ads push BumbleBee malware used by ransomware gangs

Sarah Henriquez

WordPress force patching WooCommerce plugin with 500K installs

Sarah Henriquez

VMware fixes critical ESXi and vRealize security flaws

Sarah Henriquez

Leave a Comment