Saks Fifth Avenue becomes latest Clop ransomware victim

ransomware avast
(Image credit: Avast)

The list of Clop ransomware victims keeps on growing, with the threat actor adding American retail icon Saks Fifth Avenue to its data leak website.

Saks Fifth Avenue is a luxury brand retailer, offering curated shops featuring the latest trends in apparel, shoes, handbags, and similar. 

While the threat actor did add the retailer’s name to the leak site, they did not provide any additional details, such as the type of data that was taken, or whom it belonged to (for example, customers, partners, or employees). 

Fake data

On the other hand, the company confirmed the data breach to BleepingComputer, with a spokesperson saying that it fell prey to the now-infamous GoAnywhere MFT vulnerability. It did, however, downplay the importance of the incident, saying the data the hackers took was bogus:

"Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks," a Saks spokesperson told the publication. "The mock customer data does not include real customer or payment card information and is solely used to simulate customer orders for testing purposes."

The reporters followed up with a question whether corporate or employee data was taken, and were met with silence.

When Clop added Community Health Systems (CHS) to its data leak site in mid-February this year and claimed it had used a single vulnerability in GoAnywhere MFT to compromise 130 organizations, it’s safe to assume that very few people actually believed them, especially with the threat actors not backing these claims with any evidence at the time.

Since then, Clop added Hatch Bank, Hitachi Energy, Ferrari, and dozens of other companies, to the leak site, giving credence to its claims.

GoAnywhere MFT is a popular file-sharing service developed by Fortra and used by large businesses to share sensitive files, securely. It was vulnerable to CVE-2023-0669, a pre-authentication command injection vulnerability in the License Response Servlet that allowed Clop’s members to execute malicious code, remotely. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.