Cyber Incident Victim: AvidXchange
Date:
Jan 2023
Location:
United States of America
Summary
AvidXchange experienced two separate ransomware incidents involving the Clop and RansomHouse groups, resulting in data exfiltration including sensitive corporate documents, employee payroll information, bank account details, and compromised login credentials with weak password practices. The initial breach occurred through a third-party file transfer system vulnerability, while the subsequent attack led to unauthorized system access and public data leaks. The company detected anomalous activity during routine monitoring, initiated investigations with cybersecurity experts, notified law enforcement, and temporarily disabled affected applications to reset customer credentials. Ongoing efforts include implementing additional safeguards amid operational continuity, though some features faced temporary disruptions. Exfiltrated data samples indicated potential exposure of non-disclosure agreements, security question answers, and access details for internal systems ranging from cloud accounts to physical security devices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early 2023, AvidXchange, a North Carolina-based payment software company processing 70 million transactions annually for 8,000 customers, experienced two separate ransomware incidents. The first incident stemmed from a mass exploit of Fortra’s GoAnywhere file transfer tool, which occurred between late January and early February 2023. The Russia-linked Clop ransomware gang exploited a zero-day vulnerability in GoAnywhere, a system AvidXchange used exclusively to transfer files to a third-party check-printing vendor. Fortra, the software’s developer, released a patch on February 7 after security researcher Brian Krebs exposed the flaw, but Clop had already compromised approximately 130 organizations, including AvidXchange. Clop listed AvidXchange on its dark web leak site in March 2023, claiming to possess GoAnywhere backups, though AvidXchange asserted no customer or transactional data resided on Fortra’s platform and maintained its GoAnywhere instance was taken offline by Fortra during remediation. The company’s forensic review, conducted with external experts, concluded no data exfiltration occurred in this initial breach.
A second, unrelated ransomware attack occurred in early April 2023 when AvidXchange detected unusual activity during routine security monitoring. The RansomHouse group claimed responsibility, publishing stolen data including non-disclosure agreements, employee payroll records, corporate bank account numbers, and login credentials for internal systems such as cloud accounts, security software, smart door locks, and surveillance cameras. Leaked credentials revealed weak password practices, with derivations of “AvidXchange” and “password” used across systems, many potentially still active. AvidXchange confirmed data exfiltration, initiated an investigation with cybersecurity experts, notified law enforcement, and temporarily took offline a specific application used by a limited number of customers to reset passwords. The company acknowledged operational disruptions from implementing additional safeguards but maintained core payment processing functionality. RansomHouse, positioning itself as a “professional mediators community,” justified the attack by citing AvidXchange’s alleged negligence toward data security. AvidXchange declined to disclose whether it received or paid ransom demands and established a dedicated webpage for updates while warning customers of potential phishing risks from further data releases. The incidents collectively exposed vulnerabilities in third-party vendor management and internal credential practices, though the full scope of affected customers and employees remained unclear as investigations continued.