Fortra: Certain On-Prem Customers Were Targeted In GoAnywhere Attacks

The cybersecurity and business software vendor says it has completed its investigation into the attacks, which stemmed from exploits of a vulnerability in the GoAnywhere file transfer platform.


Fortra, whose GoAnywhere file transfer platform was exploited by hackers to steal data from numerous large organizations earlier this year, said that certain customers with on-premises deployments of the software were “at an increased risk” from the attacks.

The cybersecurity and business software vendor disclosed in a post that it has completed its investigation, which included assistance from Palo Alto Networks’ Unit 42 organization.

[Related: 5 Things To Know About The Fortra GoAnywhere Attacks]

Sponsored post

The attacks stemmed from exploits of a zero day vulnerability in the GoAnywhere file transfer platform, tracked at CVE-2023-0669. Known victims from the data theft campaign included Procter & Gamble, the City of Toronto, Crown Resorts and data security firm Rubrik.

Fortra, which changed its name from HelpSystems in Novem­ber, offers GoAnywhere as a secure managed file transfer (MFT) product that “streamlines the exchange of data between systems, employees, customers and trading partners,” according to the company.

Among the discoveries during the Fortra investigation into the attacks was that the GoAnywhere vulnerability “was used against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution,” the company said in the blog post. This occurred as far back as Jan. 18, Fortra said.

On-prem customers that were running an internet-exposed administrator portal — a small minority of customers,” according to the vendor — “were at an increased risk” of being targeted, Fortra said. The company said it “promptly communicated with those customers regarding mitigation of this risk.”

“We urgently notified all on-premise customers that a patch was available and shared additional mitigation guidance,” Fortra said.

The company said its investigation also determined the the vulnerability was “isolated to our GoAnywhere MFT solution and does not involve any other aspects of the Fortra business, or its customers.”

In response to an inquiry from CRN, Fortra said that it’s not disclosing the total number of impacted customers or further details beyond its post.

In early February, Fortra informed customers that it had identified an actively exploited zero-day vulnerability in GoAnywhere, which could be used to remotely execute code on vulnerable systems. The Fortra advisory was first reported by journalist Brian Krebs.

On Feb. 7, Fortra released a patch for the GoAnywhere vulnerability as part of version 7.1.2.

BleepingComputer reported on Feb. 10 that the Clop cybercrime gang said it was responsible for numerous attacks exploiting the GoAnywhere vulnerability. The cybercriminal group claimed that it had stolen data from more than 130 victim organizations during a 10-day period.