Fortra completes GoAnywhere MFT investigation

An investigation around the zero-day attack that affected a growing number of victims revealed that activity started earlier than Fortra initially reported.

While fallout might continue, Fortra has completed its final investigation into the GoAnywhere managed file transfer breach that occurred earlier this year.

In January, threat actors exploited a zero-day vulnerability, now tracked as CVE-2023-0669, that affected Fortra's GoAnywhere MFT software. Cybersecurity reporter Brian Krebs publicly disclosed the critical remote code injection flaw on Feb. 2, but Fortra did not release a patch until Feb. 7. Subsequently, the Clop ransomware gang exploited a high number of vulnerable enterprises.

Fortra published findings from the GoAnywhere MFT investigation with Palo Alto Networks' Unit 42 threat intelligence team in a blog post Monday. While the investigation summary did not reveal who was behind the attack or the scope -- despite significant fallout -- the software vendor did provide a timeline and actionable steps.

Fortra confirmed that the initial attack vector was the previously unknown vulnerability CVE-2023-0669, which attackers exploited to create user accounts in some customer MFT environments. In some instances, threat actors also downloaded files, so Fortra said it prioritized customers that experienced a data breach.

The investigation also revealed that attackers installed two additional tools, Netcat and Errors.jsp, though Fortra noted "neither tool was consistently installed in every environment."

As for the attack timeline, exploitation activity occurred earlier than initially reported. Fortra said it first became aware of suspicious GoAnywhere MFT activity Jan. 30, but some on-premises customers were affected two weeks prior without Fortra's knowledge.

"As the investigation unfolded, we were made aware the same CVE-2023-0669 was used against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution," Fortra wrote in the blog. "Based on reports from customers, this activity pushed the unauthorized activity timeline to January 18."

While Fortra continues to monitor its hosted environment, it appears that implemented mitigations are preventing unauthorized access and activity was limited to the GoAnywhere MFT software.

"At this time, we can confirm this issue was isolated to our GoAnywhere MFT solution and does not involve any other aspects of the Fortra business, or its customers," the blog stated.

Fortra recommended that enterprises rotate master encryption keys, reset all credentials, review audit logs and delete any suspicious admin accounts. In a paragraph marked "important," Fortra said customers should find out if their instances included stored credentials for other systems in the environment and ensure that those credentials have been revoked.

TechTarget Editorial reached out to Fortra for additional details, including how many customers have been affected, but was directed to the blog post.

Ransomware extortion evolution

Fallout from the attack against Fortra's file transfer software highlights new, dangerous trends in the ransomware landscape. Although Fortra has not addressed it, the Clop ransomware gang claimed a substantial number of GoAnywhere MFT victims by exploiting one zero-day vulnerability.

Since February, several prominent enterprises, including cybersecurity vendor Rubrik and Hitachi Energy, confirmed data breaches related to GoAnywhere MFT exploitation. In Hitachi's statement, the energy provider said it "recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group."

To date, CHSPSC has identified 1,173,555 individuals whose personal information may have been impacted by the Fortra Incident.
Community Health Systems

At least four of the victims are part of the healthcare sector. Community Health Systems (CHS), U.S. Wellness, Brightline and Blue Shield of California have all filed data breach notifications related to the GoAnywhere attack.

In a March 7 data security incident advisory, CHS said a limited amount of employee information and other individual data might have been compromised due to exploitation of the Fortra vulnerability. However, a data breach notification issued to the Office of the Maine Attorney General on April 17 revealed that the number is much higher.

"CHSPSC has worked through approximately 99% of the files believed to have been compromised by the Fortra Incident," CHS wrote in the data breach notification. "To date, CHSPSC has identified 1,173,555 individuals whose personal information may have been impacted by the Fortra Incident."

NCC Group, which publishes monthly reports on ransomware trends and the most active groups, found that the number of ransomware victims in March was the highest of any month during the past three years. Researchers observed a 91% increase from February to March as attacks rose from 240 to 459.

"This enormous surge in attacks is likely associated with the highly publicized GoAnywhere MFT vulnerability being exploited across the world, which was notably used by March's most active threat group -- Cl0p," NCC Group said in an email to TechTarget Editorial.

The NCC Group database showed 129 Clop victims in March. On Feb. 10, Bleeping Computer reported that operators behind Clop told the publication it stole data belonging to 130 companies by exploiting the Fortra flaw.

TechTarget Editorial also maintains a ransomware database and found that attacks in March skyrocketed behind increased Clop activity.

The fallout demonstrates an increasing use of zero-day exploits in ransomware attacks and the significant damage it can inflict. The timely patching of an overwhelming number of known vulnerabilities is difficult enough for enterprises.

Christopher Glyer, principal security researcher at Microsoft, addressed the Fortra final investigation findings on Twitter Wednesday.

"Ransomware operators using proceeds to buy zero-day exploits is happening more often than many realize," Glyer wrote on Twitter.

Similarly, Kaspersky found that ransomware operators might be working in close collaboration with exploit developers, based on recent Nokoyawa ransomware attacks that exploited a Windows zero-day vulnerability. Kaspersky researchers also emphasized that the shift to financially motivated groups using zero-day exploits represents a significant increase in sophistication levels among cybercriminals.

Another ransomware trend the Fortra attack further highlighted was threat actors stealing data without deploying ransomware. Encrypted systems were not mentioned in victims' data breach disclosures. Now, operators are becoming more ruthless in the types of sensitive data they will publicly leak to pressure victims into paying.

Joe Slowik, threat intelligence manager at Huntress, told TechTarget Editorial that using a data theft-only approach would likely allow attackers to fly under the radar. Huntress investigated a Fortra GoAnywhere event, but Slowik could not confirm if ransomware was deployed because the threat was quickly contained. He observed the use of Truebot, but Huntress isolated the servers before the attack progressed to ransomware.

While organizations with solid defensive postures are more likely to identify and stop ransomware deployment, Slowik emphasized that it's more difficult to catch exfiltration.

"It's a hard problem to try and catch exfiltration, especially if it's going through third-party services and other applications, because it blends in with other legitimate -- or at least not malicious -- activity," Slowik said. "This might be an interesting development in ransomware operations in avoiding the most disruptive element, which is also the most likely to get you caught fairly quickly, or at least noticed."

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Next Steps

Cleo patches file transfer zero-day flaw under attack

Dig Deeper on Threats and vulnerabilities