The GoAnywhere data breach explained

In February 2023, security researchers uncovered a zero-day vulnerability affecting GoAnywhere MFT, a secure file transfer service sold by GoAnywhere parent company Fortra.

Threat actors have since abused the flaw to breach several large organizations. The ransomware group Cl0p has taken credit for attacks on over 130 companies through the vulnerability, including Hitachi Energy, Proctor and Gamble, and Rubrik.

In a change of pattern for the group, Cl0p did not follow a double extortion method for these attacks, nor did it appear to leave a locker - malware that locks user files or their entire device until a ransom is paid to hackers.

Information on the exact ransoms demanded of Cl0p’s victims in this campaign has been scarce.

Although the vulnerability was patched quickly after it was made public, many firms fail to promptly apply updates following security disclosures. This means that attacks continued to rise, and many businesses may still be vulnerable.

GoAnywhere data breach: Timeline of events

After uncovering evidence of suspicious activity in GoAnywhere MFT in January 2023, Fortra opened an investigation. On 1 February, the firm then made a disclosure available to its users, which was placed behind a login screen. 

The information was not available to the wider public and still isn’t via the company’s official channels.

Information about the issue was slowly disseminated throughout the industry via external reports. It was first brought to light by security expert Brian Krebs who copied Fortra’s advisory to a Mastodon instance.

Using details from the advisory, proof of concept exploit code was developed and later circulated a day before Fortra could issue a patch for the vulnerability on 7 February. Researchers from CloudSEK said at the time there were “thousands” of GoAnywhere admin panels that were vulnerable according to a Shodan scan indexing them running on port 8000.

GoAnywhere data breach: Zero-day vulnerability details

The exploited vulnerability in GoAnywhere MFT tracked as CVE-2023-0669, is a remote code execution (RCE) flaw - one of the most severe and damaging types of security weakness. Attackers can abuse these vulnerabilities to run code, execute malware, steal data, and more - all without needing physical access to the targeted systems.

The vulnerability is a deserialisation bug which is exploited by sending a post request to the endpoint at ‘/goanywhere/lic/accept’, CloudSEK says. There is also a module already in the Metasploit hacking tool allowing for much easier exploitation.

The vulnerability can only be exploited through a compromised admin console, Fortra says, but its web client interface itself isn’t exploitable - just the admin interface. In most cases, such access can only be achieved from within a company, remotely via a company virtual private network (VPN), or by allow-listed IP addresses. Fortra advised any of its customers to work with its customer service team if they believe their consoles were exposed to the public internet.

GoAnywhere customers were also advised to audit all admin users within the organisation and check for unrecognised usernames. Rapid7 suggested this piece of advice could signal that Fortra had noticed follow-on activity from real-world exploits that could have seen attackers creating new admin users to maintain persistence on targeted machines.

The other mitigation measure in Fortra’s advisory instructed users to remove a servlet and servlet-mapping configuration on the file system where GoAnywhere MFT is installed. Full details can be found in Krebs’ post.

GoAnywhere data breach: What organizations became victims?

Cyber security firm Rubrik was among the first to reveal it had been breached via exploitation of the GoAnwhere vulnerability. 

It did not comment on whether ransomware was involved in the incident. Cl0p published a score of data belonging to the company on its dark web blog which appeared to include details of partner and customer business names, contact information, and purchase orders - an observation later confirmed in a public disclosure.

Hitachi Energy was another to confirm it was one of the circa 130 victims from Cl0p’s attacks. It said in a public advisory that the attack “could have resulted in unauthorized access to employee data in some countries”. The multinational energy firm employs 40,000 people across 90 countries and generates business volumes of around $10 billion.

Australia’s largest gambling company, Crown Resorts, also confirmed it was impacted and that “a small number of files” were stolen. These included employee attendance records and some membership numbers from its Crown Sydney resort.

Employee data from the UK’s Pension Protection Fund (PPF) was also stolen, though it was quick to confirm that no pension details were involved. It did, however, say that Fortra initially misled the organization about the nature of the incident, originally telling it that no data was taken. In response, the PPF “immediately” stopped using the company’s services.

The list of other high-profile victims includes Proctor and Gamble, the City of Toronto, Virgin Red, Axis Bank, the Tasmanian government, Saks Fith Avenue, Hatch Bank, and Investissement Québec.

Run as a ransomware as a service (RaaS) operation, Russia-based Cl0p is known for using double extortion tactics.

According to the Secureworks Counter Threat Unit (CTU), the threat actors behind the 130-organization attack have been attributed to Gold Tahoe, also tracked as TA505 and Dudear by other security firms. 

NCC Group stated that the group has actively used Cl0p ransomware since at least 2019, and has additionally run its own RaaS and malware distribution operations.

Gold Tahoe is also responsible for the exploits of vulnerabilities in Accellion FTA in 2021, which impacted major organizations such as Morgan Stanley.

The 91 victims posted to Cl0p’s leak site in March 2023 accounted for more than 65% of all victims claimed by the ransomware group between August 2020 and February 2023, Secureworks CTU says.

Cl0p ransomware has been around since 2019 and has been involved in attacks on major organizations. Attribution of ransomware organizations is often difficult to do with certainty, but Cybereason says is “most likely based in Russia – which has a history of tacitly supporting cybercriminals with state-condoned and state-ignored attacks”.

In April, Microsoft linked a series of attacks on print management software company PaperCut to Cl0p, with similarities in the vulnerabilities exploited in both cases as well as Cl0p’s changing methodology.