Fortra has concluded its investigation into the exploitation of CVE-2023-0669, a zero-day vulnerability in the GoAnywhere MFT solution, which the Clop ransomware gang used to steal data from over a hundred companies. The critical remote code execution flaw became publicly known after Fortra notified customers on February 3rd, 2023. A working exploit was released on February 6th, 2023, increasing the likelihood that other threat actors would exploit it. Fortra released a security update for the zero-day vulnerability a day later, urging all customers to install it. On February 10th, 2023, the Clop ransomware gang claimed that it had managed to steal data from 130 companies by exploiting the bug in GoAnywhere MFT. Despite numerous attempts to contact Fortra about the reported attacks and extortion attempts, the software vendor did not respond.
Almost 1.5 months after the first disclosure of the zero-day, Fortra has shared a detailed timeline of the events. According to Fortra’s announcement, the company became aware of suspicious activity in certain GoAnywhere MFTaaS instances on January 30th, 2023, and promptly took down the cloud service to investigate further. The investigation revealed that a threat actor leveraged the then-unknown vulnerability between January 28th and January 30th, 2023, to create user accounts in some customer environments. The intruder then used these accounts to download files from the MFT environment. Fortra says it prioritized communications with the subset of clients who suffered a data breach.
In addition, the threat actors used their new accounts to install additional tools in some customer environments. “During the investigation, we discovered the unauthorized party used CVE-2023-0669 to install up to two additional tools - “Netcat” and “Errors.jsp” - in some MFTaaS customer environments between January 28, 2023, and January 31, 2023,” explains Fortra. Netcat is a versatile networking utility that threat actors typically use to establish backdoors, conduct port scanning, or transfer files between the compromised system and their server. Errors.jsp is a JavaServer Pages (JSP) file used for creating dynamic web pages. Fortra does not explain how the attackers used the file, but it’s possible that it was designed to provide the attacker with a web-based backdoor on the breached system for executing commands, stealing data, or maintaining access to the environment.
As the investigation continued, Fortra discovered that the same flaw had been leveraged against on-premise customers running a specific configuration of the GoAnywhere MFT, moving the first signs of exploitation back to January 18th, 2023. This means that CVE-2023-0669 was under active, albeit reportedly limited exploitation, for approximately two weeks before the software vendor realized the security breach. Fortra says that it has helped and guided all customers directly impacted by these attacks on how to secure their instances and configure their GoAnywhere MFT securely. However, it has listed mitigations and recommendations in its latest announcement, urging customers to perform the following actions if they haven’t already: Additionally, if the exposed GoAnywhere MFT instances hosted credentials of users of other systems in the environment, those should be revoked to prevent subsequent breaches or lateral network movement.