Fortra with Details of GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks
Take action: When a major provider has a vulnerability the disaster cascade is huge - hundreds of companies using the provider as well as their customers are at risk. Be vigilant of your providers and push for regular patching and risk mitigation like key rotation - which is very unpleasant but worth the effort.
Learn More
Fortra, has disclosed a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool, which has been actively exploited by ransomware actors to steal sensitive data. The high-severity flaw, identified as CVE-2023-0669, involves pre-authenticated command injection, allowing unauthorized code execution. Although the issue was patched in February 2023 with version 7.1.2 of the software, it had already been weaponized as a zero-day since January 18.
Fortra became aware of suspicious activity related to some file transfer instances on January 30, 2023. The unauthorized party utilized CVE-2023-0669 to create unauthorized user accounts in certain Managed File Transfer (MFTaaS) customer environments and subsequently downloaded files from those hosted environments. The threat actor also deployed two additional tools, known as "Netcat" and "Errors.jsp," between January 28 and January 31, 2023.
As mechanis Fortra recommends rotating the Master Encryption Key, resetting all credentials, reviewing audit logs, and deleting any suspicious admin or user accounts.
The GoAnywhere MFT vulnerability continues to be actively exploited at various companies that use that software and service to exchange confidential data - mostly in the healthcare indistry.
