Fortra Completes Postmortem Of GoAnywhere Vulnerability
June 5, 2023 Alex Woodie
Security firm Fortra recently published an analysis of the zero-day vulnerability that impacted its GoAnywhere MFT customers earlier this year and committed itself to “continuous improvement.” Meanwhile, an analysis shows that dozens of organizations continue to run unpatched and exposed versions of GoAnywhere months after the flaw was discovered and patches became available.
Fortra (formerly HelpSystems) first became aware of the remote code injection exploit vulnerability in its GoAnywhere managed file transfer (MFT) product on January 30, as we previously reported, and quietly alerted customers on February 1. The company says it immediately shut down the hosted version of GoAnywhere that it offered to customers as a service, and shared mitigation information with its customers.
The world became aware of the flaw on February 2, when security researcher Brian Krebs wrote about it on a security blog. On February 6, the security research firm Rapid7 posted its analysis of the vulnerability, which was assigned CVE-2023-0669 in the NIST’s National Vulnerability Database on the same day.
“Based on the mitigations published by Fortra, we confirmed that this is a pre-authentication deserialization issue,” Rapid7 wrote on February 6. “To exploit the vulnerability, you either need network-level access to GoAnywhere MFT’s administration port (by default, port 8000), but this can also be exploited via an internal user’s browser…” NIST gave the vulnerability a base score of 7.2, which is considered a high severity. Rapid7 gave it an “attacker value” of “very high.”
Fortra patched the flaw with the release of GoAnywhere MFT 7.1.2 the following day, on February 7. However, by then the security vulnerability in the Java-based product was being actively exploited by cybercriminals to steal data. The security publication Bleeping Computer wrote on February 10 that a ransomware gang named Clop told it that it had stolen data from more than 130 organizations. While the gang could have deployed ransomware, it decided only to steal files that victims had stored on GoAnywhere MFT servers, the publication wrote.
Several high-profile customer names were reported to have fallen victim to the hack, including Proctor & Gamble, Hitachi Energy, Saks Fifth Avenue, Virgin, Rubrik, Crown Resorts, and the governments of Toronto and Tasmania. Community Health Systems (CHS) stated in an SEC filing that private health data for about 1 million individuals was compromised in an attack due to the GoAnywhere flaw.
Fortra was initially reluctant to communicate publicly about the security vulnerability and didn’t respond to IT Jungle’s questions. However, it quickly changed course and issued a statement regarding its actions in response to the security vulnerability.
On April 17, it summarized the findings of an independent security review in a blog post. According to the review, which was conducted by Unit42, a security division of Palo Alto Networks, the cybercriminals used the flaw to create unauthorized user accounts in some hosted GoAnywhere MFT customer environments, which they used to download files from January 28 to January 30.
The attackers also used the vulnerability to install two tools, dubbed “Netcat” and “Errors.jsp,” in some hosted customer’s environments between January 28 and January 31, Fortra said. The company helped customers search for these tools, which were not in every customer’s environment, and take mitigation issues. No more unauthorized access was detected in customer’s hosted environments after these steps were taken, Fortra said, and the company has provisioned clean instances of GoAnywhere in the cloud and helped customers implement mitigation measures.
But the hack wasn’t limited to Fortra’s cloud offering. The company said the flaw was used “against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution,” Fortra said in its report. The on-prem hacks started as far back as January 18, it said.
The main culprit in the hack – besides the flaw in GoAnywhere itself – turned out to be the practice of some customers of “running an admin portal exposed to the internet,” Fortra said. The company said it “urgently notified all on-premise customers that a patch was available and shared additional mitigation guidance.”
No other Fortra products were found to be compromised, the company said. Meanwhile, Fortra, which changed its name from HelpSystems last year to reflect its metamorphosis into a security-focused software firm, committed itself to doing better in the future.
“As we move forward from this event, we will continuously review our operating practices and security program to ensure we emerge stronger as an organization,” the company said. “We are committed to continuous improvement as an organization on our current practices in areas such as:
* Secure development and supply chain
* Solution operations, support, and architecture
* Customer communications and best practice documentation.”
For customers running GoAnywhere on-prem, Fortra recommended “not allowing admin portal access from the internet.” It also published the GoAnywhere MFT Hardening Guide and urged customers to check out the GoAnywhere Compliance Center.
Fortra recommended that GoAnywhere customers check whether they are storing credentials for other systems in the GoAnywhere environment “and make sure those credentials have been revoked.” It also provided some best-practice recommendations for secure computing, including rotating master encryption key; resetting keys and passwords for all external trading partners and systems; and reviewing audit logs and deleting any suspicious admin or Web user accounts.
Unfortunately, it doesn’t appear that all GoAnywhere customers have heeded those warnings. An analysis by the security threat hunting firm Censys revealed that there are still many unpatched GoAnywhere instances exposed on the Internet.
“Over 2 months after this zero day was disclosed, Censys continues to observe almost 180 hosts running exposed GoAnywhere MFT admin panels, with 30 percent of these (55 hosts) showing indications of remaining unpatched and potentially vulnerable to this exploit,” the company wrote on May 1.
There was little to no improvement by the end of May. In fact, the number of exposed GoAnywhere hosts appears to have gone up after May 29, while the number of exposed and unpatched hosts remained the same from late April.