Connect with us

Hi, what are you looking for?


Data Breaches

Fortra Completes Investigation Into GoAnywhere Zero-Day Incident

Fortra has shared a summary of its investigation into the GoAnywhere zero-day incident that hit dozens of the company’s customers earlier this year.

Fortra has completed the investigation into the recent zero-day incident involving its GoAnywhere managed file transfer (MFT) software and the company has shared a summary of its findings.

The investigation, conducted with the aid of cybersecurity firm Palo Alto Networks, revealed that malicious activity started on January 18, with cybercriminals exploiting a zero-day vulnerability against on-premises implementations running a specific configuration of GoAnywhere.

In the case of MFTaaS customers, the probe found that they were targeted with the zero-day vulnerability starting with January 28. 

Fortra became aware of the hack on January 30 and the unauthorized activity conducted in MFTaaS environments was completely neutralized the next day. The zero-day vulnerability, tracked as CVE-2023-0669, can be exploited for remote code execution. 

“Our initial investigation revealed the unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments. For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments,” the company explained.

In addition, the attackers leveraged the zero-day to install up to two tools in compromised customer environments: Netcat and Errors.jsp.

Fortra said it immediately started working with customers to resolve the breach, but a patch for the zero-day was only released roughly one week after the incident was made public. 

Advertisement. Scroll to continue reading.

“At this time, we can confirm this issue was isolated to our GoAnywhere MFT solution and does not involve any other aspects of the Fortra business, or its customers,” Fortra said.

The company has also described the actions it has taken to prevent future incidents and shared some recommendations for customers. 

The zero-day vulnerability appears to have been exploited by hackers associated with the Cl0p ransomware operation.

Dozens have been impacted and several major organizations have confirmed being hit, including Community Health Systems (CHS), Rubrik, Hitachi Energy, Crown Resorts, the City of Toronto, Saks Fifth Avenue, Pluralsight, PPF, P&G, Atos, and Rio Tinto. The hackers claimed that they targeted 130 organizations in the GoAnywhere campaign. 

Several victims said that while the attackers did exploit the vulnerability against them, impact was limited. Files allegedly stolen from some of them have been published on Cl0p’s leak website.

Related: Data Breach at Independent Living Systems Impacts 4 Million Individuals

Related: Western Digital Shuts Down Services Due to Cybersecurity Breach

Related: Latitude Financial Services Data Breach Impacts 300,000 Customers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.