In response to GoAnywhere attacks, Fortra says it has taken ‘multiple steps’ with customers, CISA

Software provider Fortra says it is working with customers and the Cybersecurity and Infrastructure Security Agency in response to a spate of cyberattacks targeting a serious vulnerability in its GoAnywhere MFT file-transfer product.

The company has faced significant backlash for being tight-lipped about the attacks on GoAnywhere, which is used by dozens of major organizations, including the University of Cincinnati, Think Mutual Bank, the Nemours pediatric health system and many local government offices.

On Monday, one of the largest health care providers in the U.S. — Community Health Systems — filed documents with the SEC confirming that the sensitive data of more than a million people had been stolen following a breach that involved the compromise of its GoAnywhere system.

That filing came after the Clop ransomware group told BleepingComputer that it hacked into more than 130 organizations through the GoAnywhere vulnerability — which is being tracked as CVE-2023-0669.

CISA added the bug to its list of exploited vulnerabilities on February 10 and gave civilian federal agencies until March 3 to patch the issue. Fortra issued a patch dated February 6.

Throughout all this, Fortra has only published private advisories about the issues in its customer portal and has not addressed the vulnerability publicly. But on Wednesday evening, a spokesperson told The Record that it first was made aware of attacks on GoAnywhere on January 30.

“We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorized activity, notifying all customers who may have been impacted, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying our recently developed patch,” the spokesperson said.

“Additionally, we coordinated with CISA to add information about this vulnerability to their CVE catalog to broaden the reach of information about this issue. We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue.”

The timeline outlined by Fortra matches what a Clop representative told BleepingComputer. The hacker claimed on February 10 that they had been stealing data through the vulnerability for 10 days.

They also told the news outlet that they were not deploying ransomware on the affected companies, simply moving laterally throughout victim networks and stealing as much data as possible.

Private advisories

Last week, Fortra published a private advisory within its customer portal explaining that the bug is a remote code injection flaw that requires administrative console access for successful exploitation. In short, if hackers using the vulnerability can get far enough into a system, they can do a lot of damage.

The bug was publicly highlighted by cybersecurity expert Brian Krebs, who published the advisory on social media platform Mastodon and wrote that the company said it “has temporarily implemented a service outage in response.”

The company warned that if an administrative console — the part of the software with power over key settings — is exposed to the public internet, “it is highly recommended partnering with our customer support team to put in place appropriate access controls to limit trusted sources.”

Security expert Kevin Beaumont shared a search on security platform Shodan that showed there were 1,008 instances of GoAnywhere tools exposed to the internet. By Friday afternoon, that number fell to 1,004, with 580 in the United States and more than 60 in Germany.

The advisory shared by Krebs provides a range of information to help those affected mitigate their exposure.

Community Health Systems — which controls almost 80 hospitals across 16 states — told the SEC this week that protected health information and more were stolen by hackers through the GoAnywhere vulnerability.

The hospital system said that while there has been no effect on hospital operations, the company “currently estimates that approximately one million individuals may have been affected by this attack.”

Community Health also said it plans to send breach notification letters out to victims and provide identity protection services to those affected.

File-sharing platforms like GoAnywhere MFT have been targeted before because of the data they might contain and their widespread use among large organizations.

Vulnerabilities affecting another file transfer provider, Accellion, were used repeatedly to target financial institutions, government agencies, universities and corporations in 2021.

The Clop ransomware gang was one of the groups that exploited the Accellion vulnerability most, attacking several high profile victims that included Morgan Stanley, Shell, the University of Colorado, airplane maker Bombardier, and U.S. retail store chain Kroger.