BleepingComputer reports that Fortra has completed its probe into the Clop ransomware operation's widespread compromise of its Fortra GoAnywhere Managed File Transfer system through the exploitation of a zero-day, tracked as CVE-2023-0669.
Suspicious GoAnywhere activity was first identified by Fortra on Jan. 30 but further investigation revealed that threat actors were able to breach systems as early as Jan. 18, with the vulnerability exploited to facilitate the creation of user accounts in certain customer environments from Jan. 28 to 30.
Such accounts have been leveraged to enable file downloads, as well as the installation of the "Netcat" and "Errors.jsp" tools used for backdoor creation and dynamic web page-building activities, respectively, according to Fortra.
"When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment," said Fortra.
More than 130 organizations were claimed to have been compromised by Clop during the attack, all of which have been given assistance by Fortra, which also issued mitigations and recommendations for vulnerable GoAnywhere instances.
Investigation on Fortra GoAnywhere attacks completed
BleepingComputer reports that Fortra has completed its probe into the Clop ransomware operation's widespread compromise of its Fortra GoAnywhere Managed File Transfer system through the exploitation of a zero-day, tracked as CVE-2023-0669.
Attackers purporting to be Royal Mail distributed malicious emails about a failed package delivery with a PDF attachment that included a link redirecting to a Dropbox-hosted ZIP file, which then facilitated the execution of Prince ransomware.
Such websites, which are operated under "AI Nude" and are advanced by black hat SEO techniques, promise the conversion of uploaded photos into deepfake nudes but display a link, which when clicked redirected to another site with the password and link to the password-protected Dropbox-hosted archive that contains the infostealer malware.
Both iOS and Android devices have been targeted with attacks involving the fake app dubbed "SB-INT," which lured victims into manually trusting the Enterprise developer profile before triggering the registration process that would seek additional information from victims.