Fortra, a leading provider of managed file transfer (MFT) solutions, has released an update on the investigation into suspicious activity detected in its GoAnywhere MFT solution. The company has been working with cybersecurity firm Unit 42 to investigate the incident and has now provided a factual summary of the investigation, along with continuous improvement actions it is taking to strengthen its systems.
According to Fortra, the security incident began on January 30, 2023, when the company became aware of suspicious activity within certain instances of its GoAnywhere MFTaaS (Managed File Transfer as a Service) solution. Fortra quickly implemented a temporary service outage and commenced an investigation into the matter.
The investigation revealed that between January 28 and January 30, 2023, an unauthorized party exploited a previously unknown, zero-day remote code execution (RCE) vulnerability to access certain GoAnywhere customers’ systems. This vulnerability, which allowed the unauthorized party to create user accounts and download files from some MFTaaS environments, was assigned CVE-2023-0669.
Fortra discovered that the threat actor used CVE-2023-0669 to install additional tools, “Netcat” and “Errors.jsp,” in some MFTaaS customer environments between January 28 and January 31, 2023. While both tools were not consistently installed in every environment, the company communicated directly with affected customers and worked to implement mitigation measures.
As the investigation continued, Fortra became aware that the same CVE-2023-0669 vulnerability was used against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution, pushing the timeline of unauthorized activity back to January 18. Customers with an admin portal exposed to the internet were found to be at an increased risk. In response, Fortra urgently notified all on-premise customers that a patch was available and provided additional mitigation guidance.
At this time, Fortra has confirmed that the issue was isolated to the GoAnywhere MFT solution and does not involve any other aspects of the company’s business or its customers. The company is committed to continuously reviewing its operating practices and security program, with a focus on secure development, solution operations, customer communications, and best practice documentation.
Customers have been advised to take several recommended actions following mitigation and remediation efforts. These actions include rotating their Master Encryption Key, resetting all credentials, and reviewing audit logs to delete any suspicious admin and web user accounts. Additionally, customers are encouraged to determine whether their instances included stored credentials for other systems and ensure that those credentials have been revoked.