Cyber Incident Victim: Cornerstone Home Lending
Date:
Jan 2023
Location:
Canada
Summary
A mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere secure file transfer tool impacted numerous organizations, with the Russia-linked Clop gang claiming compromise of approximately 130 entities. Cornerstone Home Lending was identified as a user of the affected software but did not respond to inquiries regarding potential data exfiltration. While some victims like Community Health Systems confirmed theft of over 1 million patient records, others such as Saks Fifth Avenue reported only mock data exposure. The attackers gradually listed victims on their dark web leak site, though several organizations denied data breaches or remained under investigation. Fortra did not publicly disclose affected customers or confirm whether its hosted systems were compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere secure file transfer tool emerged in late January or early February 2023, though the exact start date remains unspecified. The Russia-linked Clop ransomware gang claimed responsibility for compromising approximately 130 organizations through this zero-day vulnerability, which Fortra had initially documented behind a login-protected advisory on February 1 before public disclosure by security researcher Brian Krebs on February 2. Fortra released patches on February 7, but attackers had already exfiltrated data from multiple victims during the window of exposure. The attack vector involved unauthorized access to GoAnywhere instances, which organizations either self-hosted or used via Fortra's cloud infrastructure. Clop progressively added victim names to its dark web leak site throughout March 2023, threatening to publish stolen data unless ransom demands were met.
Confirmed impacts included healthcare provider Community Health Systems (1 million+ patient records), Hatch Bank (financial data), and Rubrik (cybersecurity firm). Employee personal information was stolen from Investissement Québec and Hitachi Energy via their Fortra-hosted systems. The City of Toronto confirmed unauthorized access through its GoAnywhere instance but initially denied data exfiltration before revising its statement on March 23 to acknowledge compromised files. Organizations like Saks Fifth Avenue reported theft of mock customer test data, while AvidXchange disputed Clop's claims despite being listed. Cornerstone Home Lending was identified as a GoAnywhere user and appeared among Clop's targets, but the company did not respond to multiple requests for comment regarding potential data compromise. Fortra maintained complete silence on the breach scope, customer notifications, and whether its own hosted platforms were compromised, despite direct inquiries. By March 22, Clop had publicly listed fewer than half of the 130 claimed victims, leaving the full impact unverified as numerous affected organizations—including Galderma, ITx Companies, and Homewood Health—either declined to comment or were unreachable. Forensic investigations by some victims confirmed isolated breaches, while others asserted no data exposure from their GoAnywhere implementations.