The threat actor who hacked some customers of Fortra’s GoAnywhere MFT file transfer application used the same vulnerability but different tactics to compromise the cloud and on-premises versions, according to the vendor.
In a summary of the investigation so far into the attacks, for which the Clop ransomware gang is taking credit, Fortra said in late January the unnamed attacker leveraged a zero-day remote code execution vulnerability (CVE-2023-0669). But what happened next depended on whether the customer had a cloud or on-prem version of the utility.
— For those hit who were using the software-as-a-service version between January 28-31, the hacker created unauthorized user accounts, then used those accounts to download files.
The hacker also used the zero-day to install up to two additional tools – Netcat, a command line tool for reading and writing data, and Errors.jsp – in some customer environments. The report doesn’t explain the capabilities of errors.jsp.
“When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment,” the report says. “We reprovisioned a clean and secure MFTaaS environment and worked with each MFTaaS customer to implement mitigation measures. While we continue to monitor our hosted environment, there is no evidence of unauthorized access to customer environments that have been mitigated and reprovisioned by our team.”
— Those hit who used the on-prem version of GoAnywhere MFT around January 18th were running an administration portal exposed to the internet.
The report says the company “promptly communicated with those customers regarding mitigation of this risk. We urgently notified all on-premises customers that a patch was available and shared additional mitigation guidance. It is important to note that Fortra does not administer the infrastructure for on-premises instances, and we worked with customers to provide support and indicators of compromise.”
The report says Fortra is committed to improving current practices in the areas of secure development and supply chain; solution operations, support, and architecture; and customer communications and best practice documentation.
A number of companies have admitted they were victimized by the vulnerability, including the City of Toronto, Cineplex, Onex, and Hitachi Energy.