GoAnywhere MFT attacker was able to create new user accounts: Fortra

Share post:

The threat actor who hacked some customers of Fortra’s GoAnywhere MFT file transfer application used the same vulnerability but different tactics to compromise the cloud and on-premises versions, according to the vendor.

In a summary of the investigation so far into the attacks, for which the Clop ransomware gang is taking credit, Fortra said in late January the unnamed attacker leveraged a zero-day remote code execution vulnerability (CVE-2023-0669). But what happened next depended on whether the customer had a cloud or on-prem version of the utility.

— For those hit who were using the software-as-a-service version between January 28-31, the hacker created unauthorized user accounts, then used those accounts to download files.

The hacker also used the zero-day to install up to two additional tools – Netcat, a command line tool for reading and writing data, and Errors.jsp – in some customer environments. The report doesn’t explain the capabilities of errors.jsp.

“When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment,” the report says. “We reprovisioned a clean and secure MFTaaS environment and worked with each MFTaaS customer to implement mitigation measures. While we continue to monitor our hosted environment, there is no evidence of unauthorized access to customer environments that have been mitigated and reprovisioned by our team.”

— Those hit who used the on-prem version of GoAnywhere MFT around January 18th were running an administration portal exposed to the internet.

The report says the company “promptly communicated with those customers regarding mitigation of this risk. We urgently notified all on-premises customers that a patch was available and shared additional mitigation guidance. It is important to note that Fortra does not administer the infrastructure for on-premises instances, and we worked with customers to provide support and indicators of compromise.”

The report says Fortra is committed to improving current practices in the areas of secure development and supply chain; solution operations, support, and architecture; and customer communications and best practice documentation.

A number of companies have admitted they were victimized by the vulnerability, including the City of Toronto, Cineplex, Onex, and Hitachi Energy.

The post GoAnywhere MFT attacker was able to create new user accounts: Fortra first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways