Cyber Incident Victim: Crown Resorts
Date:
Mar 2023
Location:
Australia
Summary
Crown Resorts, a large gambling and entertainment company, suffered a data breach after its GoAnywhere secure file-sharing server was compromised via a zero-day vulnerability. The Clop ransomware gang claimed responsibility for the attack and issued a ransom demand, stating they had stolen a limited number of files. The company confirmed the extortion attempt but stated there was no evidence customer data was compromised or that business operations were impacted. An investigation was initiated with law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 27, 2023, Crown Resorts, Australia's largest gambling and entertainment company, confirmed it had suffered a data breach. The incident occurred when threat actors exploited a zero-day vulnerability in the company's GoAnywhere secure file-sharing server. The attack was attributed to the Clop ransomware gang, which had publicly claimed in February to have stolen data from 130 organizations over a ten-day period by leveraging the same GoAnywhere flaw. Crown Resorts, a Blackstone-owned entity with an annual revenue exceeding $8 billion and operations in Melbourne, Perth, Sydney, Macau, and London, was contacted directly by the ransomware group. The attackers claimed to have illegally obtained a limited number of Crown files and issued a ransom demand as part of a data extortion campaign, a tactic Clop had shifted to over the preceding year, moving away from its previous focus on file encryption.
In its official statement, Crown Resorts confirmed it was investigating the validity of the claims as a matter of priority. The company stated there was no evidence that customer data had been compromised and that its business operations had not been impacted by the security incident. Crown Resorts committed to continuing its work with law enforcement agencies throughout the investigation and promised to provide further updates if new evidence emerged. The company joined a growing list of high-profile victims who had admitted to being impacted by the widespread exploitation of the GoAnywhere vulnerability, including organizations such as Community Health Systems (CHS), Hatch Bank, Rubrik, the City of Toronto, Hitachi Energy, Procter & Gamble, and Saks Fifth Avenue. At the time of the reporting, Clop was still engaged in extorting its victims by threatening to release the stolen data but had not yet published any Crown Resorts information on its data leak site. The software vendor, Fortra, faced potential legal consequences for the widespread breach, including a class action lawsuit in the United States accusing it of failing to implement adequate cybersecurity measures to protect private data stored within its system. This incident mirrored Clop's previous large-scale attack in December 2020, when the gang exploited a zero-day in Accellion FTA to compromise over a hundred firms and demand millions in extortion payments.