Fortra, the developer of GoAnywhere MFT, has issued emergency security updates to allow customers to secure their servers from incoming attack attempts. The company has also said that some of its MFTaaS instances were also breached in the attacks. "We have determined that an unauthorized party accessed the systems via a previously unknown exploit and created unauthorized user accounts," Fortra said. "As part of our actions to address this and out of an abundance of caution, we have implemented a temporary service outage. Service continues to be restored on a customer-by-customer basis as mitigation is applied and verified within each environment." CISA has also added the CVE-2023-0669 GoAnywhere MFT vulnerability to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch their systems within the next three weeks.
Clop's alleged use of the GoAnywhere MFT zero-day to steal data is similar to the tactic they used in December 2020, when they discovered and exploited an Accellion FTA zero-day vulnerability to steal the data of approximately 100 companies. In June 2021, some of Clop's infrastructure was shut down following an international law enforcement operation. The gang has also been linked to ransomware attacks worldwide since at least 2019. As Fortra said, "We are working directly with customers to assess their individual potential impact, apply mitigations, and restore systems."