Zero-Day Vulnerability in Fortra’s GoAnywhere MFT Being Actively Exploited
February 15, 2023 Alex Woodie
A critical security vulnerability in Fortra’s (formerly HelpSystems) managed file transfer (MFT) solution, GoAnywhere MFT, is being actively exploited to steal data from companies and possibly even to spread ransomware according to published reports. Fortra told customers to consider every managed credential in their GoAnywhere environment to be compromised, shut down cloud instances of the service, and issued an emergency patch for the zero-day security vulnerability.
Security reporter Brian Krebs was the first to share news of the vulnerability, which is described as remote code injection flaw that requires administrative console access for successful exploitation. In a February 2 post on Mastodon, Krebs shared the full text of the February 1 security advisory issued by Fortra, which is not available to the public.
“A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT,” Fortra said in its advisory. “The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).
“If the administrative console is exposed to the public internet, it is highly recommended partnering with our customer support team to put in place appropriate access controls to limit trusted sources,” Fortra continues in its advisory. “The Web Client interface, which is normally accessible from the public internet, is not susceptible to this exploit, only the administrative interface.”
NIST published a CVE entry on the vulnerability on February 6. CVE-2023-0669 details “a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.” On February 7, Fortra released a patch for the vulnerability with version 7.1.2 of GoAnywhere MFT, according to Rapid7, the Boston-based cybersecurity company listed as the source of the information in the CVE.
“The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system,” Rapid7 states in its February 3 blog post. “The logical deduction is that Fortra is likely seeing follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain persistence on vulnerable target systems.”
The “attacker value” and the “exploitability” of the flaw is considered to be “very high,” Rapid7 noted in its February 6 technical analysis, which cited a security researcher from the Krebs post who found more than 1,000 GoAnywhere customers had exposed administrative ports to the public.
The risk doesn’t appear to be theoretical, as a ransomware group has already claimed to have exploited more than 130 organizations using the vulnerability, according to a February 10 blog post on BleepingComputer. Sergiu Gatlan, a BleepingComputer reporter, says the Clop ransomware gang has taken credit for the hack.
“Clop reached out to BleepingComputer and told us that they had allegedly stolen the data over the course of 10 days after breaching servers vulnerable to exploits targeting this bug,” Gatlan wrote. “They also claimed that they could move laterally through their victims’ networks and deploy ransomware payloads to encrypt their systems but decided against it and only stole the documents stored on the compromised GoAnywhere MFT servers.”
GoAnywhere MFT was acquired by Fortra back in 2016, when the Eden Prairie, Minnesota, company still went by the name HelpSystems. The Java-based product, which was originally developed by Linoma Software, enables uses to securely exchange files via various protocols, including FTP, FTPS, SFTP, HTTP, HTTPS, SMTP, POP3. The software runs natively on IBM i, Windows, Linux, and other operating systems.
Linoma is one of dozens of security-focused tool and services vendors acquired by Fortra over the years. In November 2022, HelpSystems decided to change its name to Fortra, which the company said better reflected its focus on security.
A Fortra spokesperson responded to IT Jungle’s questions with the following statement:
“On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution. We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorized activity, notifying all customers who may have been impacted, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying our recently developed patch.
“Additionally, we coordinated with CISA to add information about this vulnerability to their CVE catalog to broaden the reach of information about this issue. We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue.”
Editor’s note: This story was updated on February 15 with a comment from Fortra.
