GoAnywhere MFT attacker was able to create new user accounts: Fortra

The threat actor who hacked some customers of Fortra’s GoAnywhere MFT file transfer application used the same vulnerability but different tactics to compromise the cloud and on-premises versions, according to the vendor.

In a summary of the investigation so far into the attacks, for which the Clop ransomware gang is taking credit, Fortra said in late January the unnamed attacker leveraged a zero-day remote code execution vulnerability (CVE-2023-0669). But what happened next depended on whether the customer had a cloud or on-prem version of the utility.

— For those hit who were using the software-as-a-service version between January 28-31, the hacker created unauthorized user accounts, then used those accounts to download files.

The hacker also used the zero-day to install up to two additional tools – Netcat, a command line tool for reading and writing data, and Errors.jsp – in some customer environments. The report doesn’t explain the capabilities of errors.jsp.

“When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment,” the report says. “We reprovisioned a clean and secure MFTaaS environment and worked with each MFTaaS customer to implement mitigation measures. While we continue to monitor our hosted environment, there is no evidence of unauthorized access to customer environments that have been mitigated and reprovisioned by our team.”

— Those hit who used the on-prem version of GoAnywhere MFT around January 18th were running an administration portal exposed to the internet.

The report says the company “promptly communicated with those customers regarding mitigation of this risk. We urgently notified all on-premises customers that a patch was available and shared additional mitigation guidance. It is important to note that Fortra does not administer the infrastructure for on-premises instances, and we worked with customers to provide support and indicators of compromise.”

The report says Fortra is committed to improving current practices in the areas of secure development and supply chain; solution operations, support, and architecture; and customer communications and best practice documentation.

A number of companies have admitted they were victimized by the vulnerability, including the City of Toronto, Cineplex, Onex, and Hitachi Energy.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now