A vulnerability in a popular data transmission tool has led to a hacking campaign against a large number of companies. As the American medium Tech Crunch reports, the list of victims is getting longer by the day. And as must now be assumed, a Swiss pharmaceutical company is one of them.
The former Nestlé subsidiary, Galderma, was allegedly attacked by the ransomware gang Clop. At least her name is on the leak site on the dark web. And the criminals write “Coming Soon”, which means that they will publish data if the victim does not pay the ransom.
What happened?
In February of this year, one of the largest healthcare providers in the United States with nearly 80 hospitals in 16 states was hit. Community Health Systems (CHS) has admitted that criminal hackers have accessed and stolen the personal and proprietary health information of up to one million patients.
The hackers were apparently able to penetrate the foreign computer network through a vulnerability in the popular file transfer software GoAnywhere. The software is used worldwide by numerous companies and organizations to securely send large amounts of data.
It was about a so-called zero-day vulnerability. In other words, there was still no antidote, so basically all GoAnywhere users were vulnerable.
Global hacking campaign
As a result, the ransomware gang Clop, or “Cl0p”, associated with Russia, has claimed responsibility for the attack on its dark web leak site. And the criminals claimed to have attacked more than a hundred victims and stolen data in an actual hacking campaign.
Technical details of the zero-day vulnerability in Fortra’s GoAnywhere software were first reported on Feb. 2 by security researcher and technology journalist Brian Krebs. The vulnerability has been assigned the identification number CVE-2023-0669 by IT security experts.
The ransomware gang later revealed to online outlet Bleeping Computer that they had already exploited the GoAnywhere vulnerability to steal data from over 130 organizations.
Fortra released an emergency patch – version 7.1.2 – on February 7 and calls on all GoAnywhere users to install the update as soon as possible.
What does Galderma say?
The company, headquartered in Zug, has not yet responded to a media inquiry from Watson.
The Swiss pharma giant’s communications chief, Christian Marcoux, declined to answer Tech Crunch’s questions, a report found.
Galderma was founded in 1981 as a joint venture between Nestlé and L’Oréal. Product portfolio, research and development are focused on the field of dermatology.
The product range includes medicines for the treatment of skin, hair and nail diseases.
In 2019, Nestlé, now the sole owner, sold Galderma to an international consortium of investors from Abu Dhabi and Singapore, among others. Reports speak of a possible IPO.
According to its own statements, the multinational is represented in about 90 countries worldwide.
How many companies are affected by the hacking campaign?
The magnitude of Clop’s massive ransomware attack can hardly be estimated, as many of those allegedly affected refrain from informing them publicly.
TechCrunch says it learned from dozens of organizations that were using affected GoAnywhere file transfer software at the time of the ransomware attack. This suggests that there are likely to be more casualties.
Since the attack in late January or early February – the exact date is not known – Clop has disclosed less than half of the 130 organizations allegedly compromised through GoAnywhere.
TechCrunch reached out to a few companies known to use GoAnywhere that were recently added to Clop’s leak site. Several replied that they were not affected.
A number of other organizations recently added to Clops’ dark website categorically declined to comment.
How dangerous is Clop?
Clop is one of the most active ransomware gangs, known for blackmailing their victims by threatening to release stolen data.
The gang runs ransomware as a service (RaaS). Their criminal partners specifically target large corporations and multinationals in North America, Latin America, Asia Pacific and Europe. According to IT security experts, the members speak Russian.
In some cases, victims were blackmailed with data that may not have been captured themselves, but bought from other hackers. The suspected American security researchers, among others, in the case of the Canadian aircraft manufacturer Bombardier. At the time, the victim’s data was apparently stolen via a hacked software tool from the California company Accellio – this tool was used to manage large email attachments.
In June 2021, six suspects believed to belong to the criminal organization were arrested in Ukraine. The arrests were made as part of a joint investigative operation by law enforcement agencies in Ukraine, South Korea and the United States.
Clop is considered to be the successor to the CryptoMix ransomware, which is believed to have been developed in Russia.
Sources
- techcrunch.com: New victims report after massive ransomware attack
- techcrunch.com: Ransomware gang uses new zero-day to steal data from 1 million patients
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
