Fortra attributes GoAnywhere breach to a zero day vulnerability

Fortra has published a post mortem of the GoAnywhere hack that compromised end user data in January and February.

Australian organisations affected by the data breach include Tasmania’s education department, Rio Tinto, and Crown Resorts.

The company said the attack used a zero-day vulnerability, CVE-2023-0669, which it said is a “pre-authentication command injection vulnerability … due to deserialising an arbitrary attacker-controlled object”.

Fortra first observed suspicious activity on January 30, 2023, but upon later investigation, it found that on-premises customers with web-facing GoAnywhere admin interfaces had been breached as early as January 18.

In its analysis, Fortra said: “Our initial investigation revealed the unauthorised party used CVE-2023-0669 to create unauthorised user accounts in some MFTaaS customer environments.

“For a subset of these customers, the unauthorised party leveraged these user accounts to download files from their hosted MFTaaS environments.”

On some victims, the attackers also installed two additional tools on their systems, the Netcat utility, and Errors.jsp.

The company said where those tools were found, it worked with customers to remove them.

The company said following remediation, customers should rotate their master encryption key; reset all credentials, including for partners; review audit logs; and delete any “suspicious admin and/or web user accounts”.

If a customer stored credentials for any other systems in their instance, those credentials should also be revoked, the company said.