Procter & Gamble

Consumer goods giant Procter & Gamble has confirmed a data breach affecting an undisclosed number of employees after its GoAnywhere MFT secure file sharing platform was compromised in early February.

Although the company did not specify who was behind the security breach, it is part of an ongoing wave of extortion claims related to attacks by the Clop ransomware gang targeting Fortra GoAnywhere secure storage servers. in the whole world.

According to Procter & Gamble, the attackers did not gain access to employees’ financial or social security information, although they did manage to steal some of their data.

“P&G can confirm that it was one of many companies impacted by Fortra’s GoAnywhere incident. As part of this incident, an unauthorized third party obtained information about P&G employees,” Procter & Gamble said. to BleepingComputer.

“The data obtained by the unauthorized party did not include information such as social security numbers or national identification numbers, credit card details or bank account information.”

P&G says it has no evidence that this data breach impacted customer data and that it stopped using Fortra’s GoAnywhere secure file sharing services after discovering the incident.

“When we learned of this incident in early February, we quickly investigated the nature and extent of the problem, people with disabilities [the] use of vendor services and knowledgeable employees,” the company added.

“At this time, there is no indication that customer data has been affected by this issue. Our business operations are continuing as normal.”

Clop claims to have stolen files from over 130 organizations

The Clop ransomware gang previously told Bleeping Computer that it exploits the CVE-2023-0669 GoAnywhere vulnerability as zero day to breach and steal data from secure storage servers of over 130 organizations.

They allegedly stole the data for ten days after hacking internet-exposed servers vulnerable to exploits targeting this bug.

Threat actors also claimed that they only stole documents stored on victims’ compromised file-sharing platforms, although they could also have easily moved laterally through their networks to deploy ransomware payloads.

Clop began publicly extorting victims of GoAnywhere attacks on March 10 when he added seven companies to his data leak site.

So far, the list of victims who have come forward to acknowledge GoAnywhere breaches and that Clop is extorting from them also includes the healthcare giant Community Health Systems (CHS)fintech platform hatch bankcybersecurity company rubric, Hitachi Energyluxury brand retailer Saks Fifth Avenueand the City of Toronto, Canada.

In ransom notes sent to victims and seen by BleepingComputer, the ransomware gang presents itself as the “Clop hacker group”, warning victims that they have stolen sensitive documents, which would be posted online on the leaked site. of Clop and sold on the black market. if the victims were unwilling to negotiate.

“We wish to inform you that we have stolen important information from your GoAnywhere MFT resource and have attached a complete list of files as evidence,” the ransom notes state.

“We deliberately did not disclose your organization and wanted to negotiate with you and your management first. If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50,000 unique visitors per day .”

Also at the origin of the Accellion 2020 breaches

The ransomware gang’s alleged use of a zero-day GoAnywhere MFT to steal sensitive files from victims’ secure sharing servers is very similar to the use an Accellion FTA zero-day vulnerability to steal the data of around 100 companies in December 2020.

During the Accellion attacks, Clop stole massive amounts of data and demanded ransoms of $10 million from leading companies such as energy giant Shell, cybersecurity company Qualys, supermarket giant Krogerand universities around the world (for example, Stanford Medicine, University of Coloradoand the University of California).

The Clop gang has also been linked to ransomware attacks since at least 2019encrypt and steal files from the servers of a long line of victims, including AG IT Software, Maastricht University, ExecuPharmAnd Indebulls.


Source link