Fortra has completed its investigation into the exploitation of CVE-2023-0669, a zero-day flaw in the GoAnywhere MFT solution that the Clop ransomware gang exploited to steal the data of over a hundred companies.
GoAnywhere critical remote code execution flaw has become publicly known after Fortra informed its customers on February 3, 2023.
A feat of work was quickly released on February 6, 2023, increasing the likelihood of other threat actors exploiting it. Fortra released the security update for the zero-day vulnerability a day later, urging all customers to install it.
On February 10, 2023, the The Clop ransomware gang told BleepingComputer that he managed to steal data from 130 companies by exploiting the GoAnywhere MFT bug.
Now, nearly a month and a half after the first Zero Day disclosure, Fortra has shared a detailed timeline of what happened.
Violation since January 18, 2023
According to Fortra’s announcement, the company became aware of suspicious activity in certain instances of GoAnywhere MFTaaS on January 30, 2023 and promptly removed the cloud service to investigate further.
The investigation revealed that a hacker exploited the then-unknown vulnerability between January 28 and January 30, 2023 to create user accounts in certain customer environments.
Then the intruder used these accounts to download files from the MFT environment. Fortra says it prioritized communications with the subset of customers who experienced a data breach.
Additionally, the hackers used their new accounts to install additional tools in some client environments.
“During the investigation, we discovered that the unauthorized party used CVE-2023-0669 to install up to two additional tools – “Netcat” and “Errors.jsp” – in certain MFTaaS client environments between the 28 January 2023 and January 31, 2023″, explains Fortra.
“Once we identified the tools used in the attack, we communicated directly with each customer if any of these tools were discovered in their environment.”
Netcat is a versatile networking utility that hackers typically use to establish backdoors, perform port scanning, or transfer files between the compromised system and their server.
Errors.jsp is a JavaServer Pages (JSP) file used to create dynamic web pages. Fortra does not explain how the attackers used the file. However, it is possible that it was designed to provide the attacker with a web-based backdoor to the hacked system to execute commands, steal data, or maintain access to the environment.
As the investigation continued, Fortra discovered that the same flaw had been exploited against on-premises customers running a specific configuration of the GoAnywhere MFT, dated the earliest signs of exploitation to January 18, 2023.
This means that CVE-2023-0669 was under active, albeit apparently limited, exploitation for about two weeks before the software vendor realized the security flaw.
Fortra claims to have helped and guided all customers directly impacted by these attacks on how to secure their instances and configure their GoAnywhere MFT securely.
However, it listed mitigations and recommendations in its latest announcement, urging customers to take the following actions if they haven’t already:
- Rotate your master encryption key.
- Reset all credentials – keys and/or passwords – including for all trading partners/external systems.
- Examine audit logs and remove any suspicious administrator and/or web user accounts.
Additionally, if exposed GoAnywhere MFT instances were hosting user credentials from other systems in the environment, these must be revoked to prevent subsequent breaches or lateral movement of the network.