GoAnywhere MFT (Fortra) Incident

High Level Summary of the Security Advisory

Fortra provides product training, product services, managed services, and consulting services. One of their product offerings GoAnywhere MFT, is a secure file transfer tool used in enterprise networks, as a hosted SaaS product, or on cloud platforms such as AWS.

On February 1, 2023, Fortra issued a security advisory regarding their GoAnywhere MFT tool, revealing that a remote code injection exploit identified led to deserialization of illegitimate data being sent to the GoAnywhere MFT server. The licensed vulnerability, tracked as CVE-2023-0669 seems to have been exploited by unauthorized access to the GoAnywhere MFT instance(s), affecting version 7.1.1 and its earlier versions. If this vulnerability is successfully exploited, attackers can remotely execute code on vulnerable instances of GoAnywhere MFT posing a significant threat to the security of the system and the data it holds.

On February 13, 2023, Fortra updated the investigation details and provided mitigation guidelines to remediate the risk of the GoAnywhere MFT exploit. The updated security advisory included compromise indicators that could help identify any malicious activity, and a patch version of GoAnywhere MFT 7.1.2 was issued to remediate the vulnerability. These measures were put in place to ensure that users were protected from any potential threats posed by the exploit.

Should I be concerned?

Maybe. It depends on if you have a relationship with Fortra and if your organization is using their GoAnywhere MFT solution. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. You may also want to search your Relationship List for "GoAnywhere,” “GoAnywhere MFT” or “Fortra” to confirm.

What to do if you have an active relationship with Fortra

In response to the incident (as part of their Security Advisory), Fortra has requested their GoAnywhere MFT customers upgrade immediately to GoAnywhere MFT 7.1.2 to remediate this vulnerability.

Fortra has provided investigation guidance and asked its customers to investigate signs of unauthorized activity by reviewing available information in log files and administration screens. This section addresses three investigation activities: User data/log review, Audit Log Review of Suspicious Activity and Suspicious User Account Activity Review. They’ve also provided mitigation guidance for those unable to upgrade at this time that includes disabling the LicenseResponseServlet and utilize network access controls, such as firewalls, to limit access to GoAnywhere MFT administrative interface to trustworthy sources.

Fortra warned its customers that managed credentials within their GoAnywhere MFT environment could be potentially compromised. In response, customers should determine whether credentials were stored for other systems in their environment (e.g. passwords and keys used to encrypt files within the system or access GoAnywhere MFT-integrated external systems), ensure that all credentials have been revoked from those external systems, and review relevant access logs related to those systems. In addition, Fortra has requested customers follow the best practices defined in the “GoAnywhere MFT Hardening Guide” on the customer portal.

If you or your third parties have an active relationship with Fortra and use their GoAnywhere MFT solution, VISO suggests following the immediate remediation steps and investigation guidance mentioned above.

Additionally, VISO recommends taking the following steps to strengthen the defense mechanism against future inevitable attempts of similar nature:

Reset all account credentials - keys and/or passwords
Enable multi-factor authentication
Implement secure development lifecycle practices
Encrypt data from being intercepted
Review audit logs and delete any suspicious admin and/or web user account,
Maintain a solid and effective vulnerability management program
Closely monitor vulnerability scans to detect any malicious code, malware or other suspicious activities

---------------------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com.

For any additional questions, please reach out to your customer success manager.

GoAnywhere MFT (Fortra) Incident

High Level Summary of the Security Advisory

Should I be concerned?

What to do if you have an active relationship with Fortra

How did we do?

AvidXchange Security Incident

LastPass Incident

Related Articles

LastPass Incident

GoDaddy Incident

CircleCI Incident

High Level Summary of the Security Advisory

Should I be concerned?

What to do if you have an active relationship with Fortra

How did we do?

AvidXchange Security Incident

LastPass Incident

Related Articles

LastPass Incident

GoDaddy Incident

CircleCI Incident

Contact

Related Articles

Custom Organization Email Domain

Artifact Intelligence Trust Center

VISO TRUST Roles & Permissions

Netksope Application Risk Exchange Plugin

How to Create an API Access Token

How To Configure The VISO TRUST Netskope Application Risk Exchange (ARE) Plugin

How To Configure Coupa Supplier Sync

Customize branding for your organization

VISO TRUST Risk Assessment Process

All About Risk Review and Remediation

Lifecycle Management for Relationships

How To Import New or Existing Relationships

DROPBOX, INC. Cybersecurity Incident

Persistent Malicious Campaign: Exploiting Exchange Server Vulnerability Leading to Data Breach in Azure Cloud Environments

Infosys McCamish Data Breach Hits Bank of America

ConnectWise ScreenConnect Authentication Bypass Vulnerability

Okta's Support System Security Incident

VF Corporation Data Breach Incident

HealthEC LLC (HEC) Cyber Security Event

Orrick Herrington & Sutcliffe LLP Breach Incident

Citrix Hypervisor Security Incident

Citrix NetScaler ADC and NetScaler Gateway vulnerabilities

Sumo Logic Potential Security Incident

Arietis Health Security Incident

Cisco IOS XE Software Web Management User Interface vulnerabilities

CVE-2023-22515 - Broken Access Control Vulnerability in Atlassian Confluence Data Center and Server

JumpCloud's Ongoing Incident: API Key Reset

Progress Software MOVEit Zero-Day Vulnerability

GoAnywhere MFT (Fortra) Incident