We’d like to provide an update on our investigation into the suspicious activity detected in our Fortra GoAnywhere MFT solution. Working with Unit 42, we have completed our investigation and have compiled a factual summary of the investigation, as well as continuous improvement actions Fortra is taking to further strengthen our systems and recommended actions customers can take to secure their data and improve their security posture using available features in the GoAnywhere MFT solution.
What happened:
On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution. We quickly implemented a temporary service outage and commenced an investigation.
We discovered between January 28, 2023, and January 30, 2023, an unauthorized party used a previously unknown, zero-day remote code execution (RCE) vulnerability to access certain GoAnywhere customers’ systems. This vulnerability was assigned CVE-2023-0669.
Our initial investigation revealed the unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments. For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments. We prioritized communication with each of these customers to share as much relevant information as available to their specific instance of the GoAnywhere platform.
During the investigation, we discovered the unauthorized party used CVE-2023-0669 to install up to two additional tools – “Netcat” and “Errors.jsp” – in some MFTaaS customer environments between January 28, 2023 and January 31, 2023. The threat actor was not able to install both tools in every customer environment, and neither tool was consistently installed in every environment.
When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment. We reprovisioned a clean and secure MFTaaS environment and worked with each MFTaaS customer to implement mitigation measures. While we continue to monitor our hosted environment, there is no evidence of unauthorized access to customer environments that have been mitigated and reprovisioned by our team.
On Premise Customers
As the investigation unfolded, we were made aware the same CVE-2023-0669 was used against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution. Based on reports from customers, this activity pushed the unauthorized activity timeline to January 18.
We determined that customers running an admin portal exposed to the internet, which represents a small minority of customers, were at an increased risk and promptly communicated with those customers regarding mitigation of this risk. We urgently notified all on-premise customers that a patch was available and shared additional mitigation guidance. It is important to note that Fortra does not administer the infrastructure for on-premise instances, and we worked with customers to provide support and indicators of compromise.
At this time, we can confirm this issue was isolated to our GoAnywhere MFT solution and does not involve any other aspects of the Fortra business, or its customers.
Next Steps
As we move forward from this event, we will continuously review our operating practices and security program to ensure we emerge stronger as an organization. We are committed to continuous improvement as an organization on our current practices in areas such as:
- Secure development and supply chain
- Solution operations, support, and architecture
- Customer communications and best practice documentation
For all customers, we recommend they follow the mitigation actions listed below, as well as employ industry specific configuration practices regarding data protection available in our customer center. For on-premise GoAnywhere customers, we recommend following our stated implementation guidelines including not allowing admin portal access from the internet.
GoAnywhere continues to include a number of security features that our customers may implement to help further safeguard data within their GoAnywhere MFT environment. Customers should download and follow the best practices defined in the manuals available in the customer portal: https://my.goanywhere.com/ including the “GoAnywhere MFT Hardening Guide.”
Customers should also review the GoAnywhere Compliance Center: https://www.goanywhere.com/solutions/compliance
Customers are responsible for ensuring their use and configuration of the GoAnywhere product complies with all applicable laws and regulations. The compliance center features guidance on leveraging the GoAnywhere product for customers across industries and geographic locations. We recommend customers review their specific data protection requirements and ensure they enable appropriate features in their MFT environment to meet the relevant current data security standards.
RECOMMENDED ACTIONS FOLLOWING MITIGATION/REMEDIATION:
- Rotate your Master Encryption Key.
- Reset all credentials – keys and/or passwords – including for all external trading partners/systems.
- Review audit logs and delete any suspicious admin and/or web user accounts.
IMPORTANT:
Customers should determine whether their instances included stored credentials for other systems in the environment and make sure those credentials have been revoked. This includes passwords and keys used to access any external systems with which GoAnywhere is integrated. Ensure that all credentials have been revoked from those external systems and review relevant access logs related to those systems. This also includes passwords and keys used to encrypt files within the system.
Source: https://www.fortra.com/blog/summary-investigation-related-cve-2023-0669
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.