GoAnywhere MFT attacker was able to create new user accounts: Fortra

The threat actor who hacked some customers of Fortra’s GoAnywhere MFT file transfer application used the same vulnerability but different tactics to compromise the cloud and on-premises versions, according to the vendor.

In a summary of the investigation so far into the attacks, for which the Clop ransomware gang is taking credit, Fortra said in late January the unnamed attacker leveraged a zero-day remote code execution vulnerability (CVE-2023-0669). But what happened next depended on whether the customer had a cloud or on-prem version of the utility.

— For those hit who were using the software-as-a-service version between January 28-31, the hacker created unauthorized user accounts, then used those accounts to download files.

The hacker also used the zero-day to install up to two additional tools – Netcat, a command line tool for reading and writing data, and Errors.jsp – in some customer environments. The report doesn’t explain the capabilities of errors.jsp.

“When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment,” the report says. “We reprovisioned a clean and secure MFTaaS environment and worked with each MFTaaS customer to implement mitigation measures. While we continue to monitor our hosted environment, there is no evidence of unauthorized access to customer environments that have been mitigated and reprovisioned by our team.”

— Those hit who used the on-prem version of GoAnywhere MFT around January 18th were running an administration portal exposed to the internet.

The report says the company “promptly communicated with those customers regarding mitigation of this risk. We urgently notified all on-premises customers that a patch was available and shared additional mitigation guidance. It is important to note that Fortra does not administer the infrastructure for on-premises instances, and we worked with customers to provide support and indicators of compromise.”

The report says Fortra is committed to improving current practices in the areas of secure development and supply chain; solution operations, support, and architecture; and customer communications and best practice documentation.

A number of companies have admitted they were victimized by the vulnerability, including the City of Toronto, Cineplex, Onex, and Hitachi Energy.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.