Fortra Reveals Findings From GoAnywhere MFT Attack
Hackers who turned a zero-day in Fortra’s GoAnywhere file transfer software into a bonanza of ransomware attacks for Russian-speaking extortion group Clop first penetrated the company’s software in January, the company says.
More than 100 organizations have felt the effects of the bug, a pre-authentication command injection vulnerability in a licensing servlet the company disclosed on Feb. 1. Clop has taken responsibility for more than 50 now-patched GoAnywhere zero-day attacks, tracked as CVE 2023-0669 (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations).
In a Monday summary of its investigation into the incident, Fortra says it first detected suspicious activity within certain instances of GoAnywhere on Jan. 30.
The investigation, conducted with Palo Alto Unit 42, revealed that hackers exploited some on-premises instances of the file transfer software as early as Jan. 18. Fortra says it does not administer the infrastructure for on-premises instances, but it provides support and indicators of compromise.
Hackers used their access to create unauthorized user accounts in some customer networks. They also installed two additional tools, Netcat and Errors.jsp, in some customer environments between Jan. 28 and Jan. 31. Not every installation attempt was successful. Netcat is a utility program, typically used to monitor network traffic. Errors.jsp is a JavaServer Page used for creating dynamic web pages.
“When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment. We reprovisioned a clean and secure MFTaaS environment and worked with each MFTaaS customer to implement mitigation measures,” the company said, referring to managed file transfer as a service.
Fortra has said the exploit requires access to the GoAnywhere administrative console, which typically should not be exposed on the open internet. A minority of customers exposed it, Fortra said.