Share this article on:
Following the hack on its GoAnywhere MFT cloud service, information software company Fortra has released a full summary of its investigation.
The GoAnywhere attack, believed to have been conducted by the Clop ransomware group, was discovered by Fortra on 30 January this year and affected 130 organisations, according to the threat group.
“On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution,” said the update.
“We quickly implemented a temporary service outage and commenced an investigation.”
Australian institutions such as mining giant Rio Tinto, Meriton, and the Tasmanian government have all revealed that they were affected by the supply chain attack.
According to Fortra’s latest update, its investigation was conducted in conjunction with Palo Alto’s incident response team, Unit 42.
The initial investigation revealed that threat actors used a specific vulnerability to create on the GoAnywhere system.
“Our initial investigation revealed the unauthorised party used CVE-2023-0669 to create unauthorised user accounts in some MFTaaS customer environments,” the summary said.
“For a subset of these customers, the unauthorised party leveraged these user accounts to download files from their hosted MFTaaS environments.
“We prioritised communication with each of these customers to share as much relevant information as available to their specific instance of the GoAnywhere platform.”
Further investigation revealed that Clop installed a number of malicious tools in several customer environments.
“The threat actor was not able to install both tools in every customer environment, and neither tool was consistently installed in every environment,” it said.
The vulnerability was also used on a number of on-premises customers running a specific version of GoAnywhere.
Fortra said that customers running an internet-accessible admin portal were at “an increased risk.” These customers were urgently contacted “regarding mitigation of this risk”.
The company has since said it has concluded its investigation and will “continuously review” its security and operating procedures to prevent similar incidents in the future.
It has also recommended that users of GoAnwhere engage in a number of “mitigation/remediation” steps, which include rotating master encryption keys, resetting all credentials and reviewing all audit logs for suspicious accounts and activity.
No other aspects of Fortra’s business were affected outside of the GoAnywhere MFT solution.
The software vendor has not yet revealed the number of impacted customers nor whether Clop’s claims of 130 organisations are indeed true.