Fortra has finally completed its investigation of the zero-day vulnerability in the decision by GoanyWhere MFT, which was swiftly utilized by the Clop extortion gang for more than 100 data companies. The vulnerability for remote code execution in the product by Goanywhere MFT was reported on February 3, after Fortra alerted its customers. However, just a few days later on February 6, the first working exploit was made available to the public, increasing the likelihood that other attackers would use the vulnerability. By the afternoon of February 6, Fortra had released security updates, urging customers to install them to minimize risks.
On February 10, the Clop extortion team publicly stated that it had abducted the data of 130 companies using the aforementioned zero-day vulnerability in Goanywhere MFT. The cybercriminals managed to carry out such a large-scale theft in just 10 days, gaining initial access between January 28 and 30, according to Fortra’s latest report.
On January 30, Fortra became aware of suspicious activity in some copies of Goanywhere MFT and quickly turned off the cloud service for further investigation. However, during this time, hackers were able to take advantage of the vulnerability to create user accounts in some clients. Then they used these accounts to unload files from the MFT environment. In some instances, the attackers were able to completely fix networks using malicious software.
During the investigation, Fortra found that the unauthorized side used the same vulnerability to install up to two additional tools – “Netcat” and “Errors.jsp” – in some customer environments of MFT between January 28 and January 31. Netcat is a universal network utility that cyberbandits often use to install backdoors, scan ports or transfer files between a compromised system and their server. Meanwhile, errors.jsp is a Javaserver Pages file used to create dynamic web pages. Fortra did not provide a specific explanation for how attackers used this file, but it may have served to provide remote access to a hacked system, allowing cybercriminals to execute arbitrary commands, abduct data, and maintain access to this environment.
As the investigation continued, Fortra identified that this same vulnerability (CVE-2023-0669) was used by attackers during the entire period from January 28 to February 6.