Cyber Incident Victim: Avidia Bank
Date:
Feb 2023
Location:
United States of America
Summary
A ransomware group exploited a vulnerability in Fortra's GoAnywhere secure file transfer tool, compromising data from numerous organizations. The Russia-linked Clop gang claimed theft from approximately 130 entities, though fewer than half were publicly listed. Healthcare providers, financial institutions, and municipal systems confirmed breaches involving patient records, employee information, and operational data. Avidia Bank was identified as a GoAnywhere user but did not respond to inquiries regarding potential impact. Some listed organizations denied data theft, asserting only test environments or non-sensitive mock data were accessed, while others acknowledged stolen personal and financial documents. Fortra provided patches after the vulnerability disclosure, but attackers had already exfiltrated data during the exploitation window.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere secure file transfer tool emerged in late January or early February 2023, though the exact start date remains unclear. The Russia-linked Clop ransomware gang exploited a zero-day vulnerability in GoAnywhere, a widely used enterprise file transfer solution, to compromise data from organizations utilizing the software. Fortra had initially concealed details of the vulnerability behind a login screen on its website, but independent security reporter Brian Krebs publicly disclosed the flaw on February 2, 2023. Five days later on February 7, Fortra released security patches for affected GoAnywhere instances—both cloud-hosted and on-premises deployments. By that time, Clop had already exfiltrated substantial volumes of data from multiple victims, claiming to have compromised 130 organizations through this attack vector.
Confirmed impacts began surfacing in March 2023 as Clop progressively listed victims on its dark web leak site. Healthcare provider Community Health Systems disclosed the theft of health information for at least 1 million patients via its GoAnywhere system. Other major entities including Hatch Bank, Rubrik, Investissement Québec, and Hitachi Energy confirmed breaches involving employee data stolen from their GoAnywhere implementations. The City of Toronto initially denied data exfiltration on March 20 but revised its statement on March 23 to confirm unauthorized access through its third-party GoAnywhere instance. While some listed organizations like AvidXchange and Saks Fifth Avenue contested the severity of data exposure—asserting no sensitive data resided on the platform or only mock test data was taken—others including Galderma, ITx Companies, and Brightline declined to comment despite being identified as GoAnywhere users. Avidia Bank was among the organizations named in connection with the attack but did not respond to multiple requests for comment, leaving its specific exposure unconfirmed. Clop gradually released samples of stolen data such as W-9 forms, payment records, and employee details from victims like Onex, while maintaining extortion pressure by threatening full publication unless ransoms were paid. The full scope of compromised entities and data types remained uncertain as numerous affected organizations neither confirmed breaches nor disclosed mitigation actions.