Fortra has completed its investigation into the exploitation of CVE-2023-0669, a zero-day flaw in the GoAnywhere MFT solution that the Clop ransomware gang exploited to steal data from over a hundred companies.
The critical GoAnywhere remote code execution flaw became publicly known after Fortra notified customers on February 3rd, 2023.
A working exploit was soon released on February 6th, 2023, increasing the likelihood other threat actors would exploit it. Fortra released the security update for the zero-day vulnerability a day later, urging all customers to install it.
On February 10th, 2023, the Clop ransomware gang told BleepingComputer that it had managed to steal the data for 130 companies by exploiting the bug in GoAnywhere MFT.
Despite numerous attempts by BleepingComputer to contact Fortra about the reported attacks and extortion attempts, the software vendor did not respond.
Now, almost 1.5 months after the first disclosure of the zero-day, Fortra has shared a detailed timeline of what happened.
Breached since January 18, 2023
According to Fortra’s announcement, the company became aware of suspicious activity in certain GoAnywhere MFTaaS instances on January 30th, 2023, and quickly took down the cloud service to investigate further.
The investigation revealed that a threat actor leveraged the then-unknown vulnerability between January 28th and January 30th, 2023, to create user accounts in some customer environments.
Next, the intruder used these accounts to download files from the MFT environment. Fortra says it prioritized communications with the subset of clients who suffered a data breach.
Additionally, the threat actors used their new accounts to install additional tools in some customer environments.
“During the investigation, we discovered the unauthorized party used CVE-2023-0669 to install up to two additional tools – “Netcat” and “Errors.jsp” – in some MFTaaS customer environments between January 28, 2023, and January 31, 2023,” explains Fortra.
“When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment.”
Netcat is a versatile networking utility that threat actors typically use to establish backdoors, conduct port scanning, or transfer files between the compromised system and their server.
Errors.jsp is a JavaServer Pages (JSP) file used for creating dynamic web pages. Fortra does not explain how the attackers used the file. However, it’s possible that it was designed to provide the attacker with a web-based backdoor on the breached system for executing commands, stealing data, or maintaining access to the environment.
As the investigation continued, Fortra discovered that the same flaw had been leveraged against on-premise customers running a specific configuration of the GoAnywhere MFT, moving the first signs of exploitation back to January 18th, 2023.
This means that CVE-2023-0669 was under active, albeit reportedly limited exploitation, for approximately two weeks before the software vendor realized the security breach.
Recommendations
Fortra says that it has helped and guided all customers directly impacted by these attacks on how to secure their instances and configure their GoAnywhere MFT securely.
However, it has listed mitigations and recommendations in its latest announcement, urging customers to perform the following actions if they haven’t already:
- Rotate your Master Encryption Key.
- Reset all credentials – keys and/or passwords – including for all external trading partners/systems.
- Review audit logs and delete any suspicious admin and/or web user accounts.
Additionally, if the exposed GoAnywhere MFT instances hosted credentials of users of other systems in the environment, those should be revoked to prevent subsequent breaches or lateral network movement.