cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Fortra reveals summary of GoAnywhere hack investigation

Following the hack on its GoAnywhere MFT cloud service, information software company Fortra has released a full summary of its investigation.

user icon Daniel Croft
Wed, 19 Apr 2023
Fortra reveals summary of GoAnywhere hack investigation
expand image

The GoAnywhere attack, believed to have been conducted by the Clop ransomware group, was discovered by Fortra on 30 January this year and affected 130 organisations, according to the threat group.

“On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution,” said the update.

“We quickly implemented a temporary service outage and commenced an investigation.”


Australian institutions such as mining giant Rio Tinto, Meriton, and the Tasmanian government have all revealed that they were affected by the supply chain attack.

According to Fortra’s latest update, its investigation was conducted in conjunction with Palo Alto’s incident response team, Unit 42.

The initial investigation revealed that threat actors used a specific vulnerability to create on the GoAnywhere system.

“Our initial investigation revealed the unauthorised party used CVE-2023-0669 to create unauthorised user accounts in some MFTaaS customer environments,” the summary said.

“For a subset of these customers, the unauthorised party leveraged these user accounts to download files from their hosted MFTaaS environments.

“We prioritised communication with each of these customers to share as much relevant information as available to their specific instance of the GoAnywhere platform.”

Further investigation revealed that Clop installed a number of malicious tools in several customer environments.

“The threat actor was not able to install both tools in every customer environment, and neither tool was consistently installed in every environment,” it said.

The vulnerability was also used on a number of on-premises customers running a specific version of GoAnywhere.

Fortra said that customers running an internet-accessible admin portal were at “an increased risk.” These customers were urgently contacted “regarding mitigation of this risk”.

The company has since said it has concluded its investigation and will “continuously review” its security and operating procedures to prevent similar incidents in the future.

It has also recommended that users of GoAnwhere engage in a number of “mitigation/remediation” steps, which include rotating master encryption keys, resetting all credentials and reviewing all audit logs for suspicious accounts and activity.

No other aspects of Fortra’s business were affected outside of the GoAnywhere MFT solution.

The software vendor has not yet revealed the number of impacted customers nor whether Clop’s claims of 130 organisations are indeed true.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.