The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HC3: Ransomware Groups are Exploiting GoAnywhere and PaperCut Vulnerabilities

Posted By on May 1, 2023

The Health Sector Cybersecurity and Coordination Center (HC3) has issued a fresh ransomware warning to the healthcare and public health (HPH) sector following a spate of attacks on the HPH sector in April by the Clop and LockBit ransomware groups.

HC3 has issued multiple alerts about the Clop and LockBit ransomware-as-a-service groups which have conducted multiple attacks on the healthcare sector. Clop was behind the attacks on Fortra’s GoAnywhere MFT solution in January/February 2023 and the 2022 attacks on the Accellion File Transfer Application (FTA), both of which exploited zero-day vulnerabilities in those solutions. The latest alert about LockBit was issued in December 2022 following multiple attacks on HPH sector organizations.

The Clop group exploited the GoAnywhere MFT vulnerability (CVE-2023-0669) and stole data from around 130 organizations, and both groups have been observed exploiting two other recently disclosed vulnerabilities – CVE-2023-27350 and CVE-2023-27351 – which are authentication bypass vulnerabilities in the widely used print management software, PaperCut MF/NG. Those two vulnerabilities were disclosed by the developer on April 19, 2023, and were corrected in PaperCut versions 20.1.7, 21.2.11, and 22.0.9 and later.

On April 26, 2023, Microsoft announced that a threat actor known as Lace Tempest was exploiting the PaperCut flaws and that the activity overlapped with the FIN11 and TA505 threat groups,  both of which have ties to Clop. After exploiting the vulnerabilities, TrueBot malware was deployed, which is known to be used by the Clop ransomware operation. LockBit ransomware was deployed in some of the attacks.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Network defenders have been advised to promptly patch their servers by updating to the latest versions of PaperCut. If that is not possible, there is a recommended workaround, which involves blocking all traffic to the web management port (9191) from external IP addresses on edge devices and blocking all traffic to default port 9191 on the server’s firewall. Users of Fortra’s GoAnywhere MFT solution should rotate the Master Encryption Key, reset all credentials, review audit logs, and delete suspicious administrator and user accounts.

Further recommended mitigations against attacks by Clop, LockBit, and other cybercriminal groups are detailed in the HC3 alert.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist