Data belonging to 63,000 minors has leaked online after a children’s mental health provider become the latest victim of an ongoing cyberattack on software company Fortra. The company, Brightline, is one of 130 to be hit as part of the attack, perpetrated by Russian ransomware gang Cl0p. It is “extremely likely” that other cybercriminals are now taking advantage of the flaw in Fortra’s system, researchers say.
Brightline is part of the Blue Shield health insurance company in the US, and a breach notification filed by Blue Shield reveals that data including names, addresses, dates of birth, gender, Blue Shield subscriber ID numbers, phone numbers and email addresses has been stolen.
It is not known if a ransom has been demanded or paid.
Brightline is latest victim of Fortra cyberattack
The attack on Fortra initially took place in January, with the criminals exploiting a security flaw in the company’s GoAnywhere file transfer service, giving them access to files that had been transferred. Cl0p claims to have information on 130 businesses, and has been leaking data ever since.
Fortra has since released emergency security updates for those affected by the flaw, now called CVE-2023-0669, and new victims of the attack continue to come forward.
Since the Brightline disclosure, David Keystone, chief privacy officer at Blue Shield, has written to clients informing them of the breach.
He says the company will offer affected clients a one-year membership to Experian Identity Works to help them track whether their child’s data is being misused. Information belonging to minors is known as “fresh data” on the dark web as it is useful in creating new identities. As such it can sell for a high price.
Brightlines and Fortra have yet to respond to requests for comment from Tech Monitor.
More victims of Fortra breach likely
Victims of the Fortra attack listed by Cl0p on its dark web victim blog include US healthcare provider US Wellness, insurance company MunichRE, Virgin Atlantic’s Virgin Red rewards scheme, publisher Scholastic and cinema chain Cineplex.
Others that have confirmed that their systems have been breached include the City of Toronto, Investissement Québec, Community Healthcare Systems in the US, Hitachi, digital finance incumbent Hatch Bank and cybersecurity giant Rubrik.
The UK Pension Protection Fund, which manages assets worth £39bn, has also been impacted, and said last week it was investigating what had happened.
“Understanding what data may have been compromised and contacting anyone potentially affected has been our top priority. We can assure our current members and levy payers that none of their data has been involved in the breach,” the fund said.
US cybersecurity agency CISA has added the bug to its list of exploited vulnerabilities, announcing that civilian federal agencies must patch the issue as a matter of urgency.
Fortra said in a statement that it had “determined that an unauthorised party accessed the systems via a previously unknown exploit and created unauthorised user accounts.” The statement added that services had been disabled when the breach was discovered, and are now “Being restored on a customer-by-customer basis as mitigation is applied and verified within each environment.”
It added: “We are working directly with customers to assess their individual potential impact, apply mitigations and restore systems.”
Now that the flaw is in the wild it is reasonable to assume that it will be abused by other cybercriminals, Jim Simpson, director of threat intelligence at Searchlight Cyber told Tech Monitor. “I would assess it is extremely likely that other threat actors are taking advantage of this vulnerability,” he says. “Given the nature and availability of the vulnerability and the fact it has already been leveraged, threat actors can take advantage of that knowledge.”