Saks Fifth Avenue becomes latest Clop ransomware victim
The list of Clop ransomware (opens in new tab) victims keeps on growing, with the threat actor adding American retail icon Saks Fifth Avenue to its data leak website.
Saks Fifth Avenue is a luxury brand retailer, offering curated shops featuring the latest trends in apparel, shoes, handbags, and similar.
While the threat actor did add the retailer’s name to the leak site, they did not provide any additional details, such as the type of data that was taken, or whom it belonged to (for example, customers, partners, or employees).
Fake data
On the other hand, the company confirmed the data breach to BleepingComputer, with a spokesperson saying that it fell prey to the now-infamous GoAnywhere MFT vulnerability. It did, however, downplay the importance of the incident, saying the data the hackers took was bogus:
“Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks,” a Saks spokesperson told the publication. “The mock customer data does not include real customer or payment card information and is solely used to simulate customer orders for testing purposes.”
The reporters followed up with a question whether corporate or employee data was taken, and were met with silence.
When Clop added Community Health Systems (CHS) to its data leak site in mid-February this year and claimed it had used a single vulnerability in GoAnywhere MFT to compromise 130 organizations, it’s safe to assume that very few people actually believed them, especially with the threat actors not backing these claims with any evidence at the time.
Since then, Clop added Hatch Bank, Hitachi Energy, Ferrari, and dozens of other companies, to the leak site, giving credence to its claims.
GoAnywhere MFT is a popular file-sharing service developed by Fortra and used by large businesses to share sensitive files, securely. It was vulnerable to CVE-2023-0669, a pre-authentication command injection vulnerability in the License Response Servlet that allowed Clop’s members to execute malicious code, remotely.
Via: BleepingComputer (opens in new tab)