Investigation on Fortra GoAnywhere attacks completed

BleepingComputer reports that Fortra has completed its probe into the Clop ransomware operation's widespread compromise of its Fortra GoAnywhere Managed File Transfer system through the exploitation of a zero-day, tracked as CVE-2023-0669. Suspicious GoAnywhere activity was first identified by Fortra on Jan. 30 but further investigation revealed that threat actors were able to breach systems as early as Jan. 18, with the vulnerability exploited to facilitate the creation of user accounts in certain customer environments from Jan. 28 to 30. Such accounts have been leveraged to enable file downloads, as well as the installation of the "Netcat" and "Errors.jsp" tools used for backdoor creation and dynamic web page-building activities, respectively, according to Fortra. "When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment," said Fortra. More than 130 organizations were claimed to have been compromised by Clop during the attack, all of which have been given assistance by Fortra, which also issued mitigations and recommendations for vulnerable GoAnywhere instances.