Jump to content

Brightline Breach


David H. Lipman

Recommended Posts

Notice of Fortra Data Security Incident

Quote

Brightline, a startup pediatric behavioral health provider, on behalf of certain entities identified below (“Covered Entities”), is informing impacted individuals about a security incident at its vendor, Fortra, that affected a limited amount of protected health information. Fortra is a third-party provider of file transfer services known as GoAnywhere MFT Software-as-a-Service.  We received information from the Covered Entities concerning eligibility of certain individuals for our services and this information was stored in our account with Fortra.  

 

 

Summary of the Investigation Related to CVE-2023-0669

Posted on April 17, 2023

Quote
 

We’d like to provide an update on our investigation into the suspicious activity detected in our Fortra GoAnywhere MFT solution. Working with Unit 42, we have completed our investigation and have compiled a factual summary of the investigation, as well as continuous improvement actions Fortra is taking to further strengthen our systems and recommended actions customers can take to secure their data and improve their security posture using available features in the GoAnywhere MFT solution.

What happened:

On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution. We quickly implemented a temporary service outage and commenced an investigation.

We discovered between January 28, 2023, and January 30, 2023, an unauthorized party used a previously unknown, zero-day remote code execution (RCE) vulnerability to access certain GoAnywhere customers’ systems. This vulnerability was assigned CVE-2023-0669.

Our initial investigation revealed the unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments. For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments. We prioritized communication with each of these customers to share as much relevant information as available to their specific instance of the GoAnywhere platform.  

During the investigation, we discovered the unauthorized party used CVE-2023-0669 to install up to two additional tools - “Netcat” and “Errors.jsp” - in some MFTaaS customer environments between January 28, 2023 and January 31, 2023. The threat actor was not able to install both tools in every customer environment, and neither tool was consistently installed in every environment.

When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment. We reprovisioned a clean and secure MFTaaS environment and worked with each MFTaaS customer to implement mitigation measures. While we continue to monitor our hosted environment, there is no evidence of unauthorized access to customer environments that have been mitigated and reprovisioned by our team.

On Premise Customers

As the investigation unfolded, we were made aware the same CVE-2023-0669 was used against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution. Based on reports from customers, this activity pushed the unauthorized activity timeline to January 18.

We determined that customers running an admin portal exposed to the internet, which represents a small minority of customers, were at an increased risk and promptly communicated with those customers regarding mitigation of this risk. We urgently notified all on-premise customers that a patch was available and shared additional mitigation guidance. It is important to note that Fortra does not administer the infrastructure for on-premise instances, and we worked with customers to provide support and indicators of compromise.

At this time, we can confirm this issue was isolated to our GoAnywhere MFT solution and does not involve any other aspects of the Fortra business, or its customers.

Next Steps

As we move forward from this event, we will continuously review our operating practices and security program to ensure we emerge stronger as an organization. We are committed to continuous improvement as an organization on our current practices in areas such as:

  • Secure development and supply chain
  • Solution operations, support, and architecture
  • Customer communications and best practice documentation

For all customers, we recommend they follow the mitigation actions listed below, as well as employ industry specific configuration practices regarding data protection available in our customer center. For on-premise GoAnywhere customers, we recommend following our stated implementation guidelines including not allowing admin portal access from the internet.

GoAnywhere continues to include a number of security features that our customers may implement to help further safeguard data within their GoAnywhere MFT environment. Customers should download and follow the best practices defined in the manuals available in the customer portal: https://my.goanywhere.com/ including the “GoAnywhere MFT Hardening Guide.”

Customers should also review the GoAnywhere Compliance Center: https://www.goanywhere.com/solutions/compliance

Customers are responsible for ensuring their use and configuration of the GoAnywhere product complies with all applicable laws and regulations. The compliance center features guidance on leveraging the GoAnywhere product for customers across industries and geographic locations. We recommend customers review their specific data protection requirements and ensure they enable appropriate features in their MFT environment to meet the relevant current data security standards.  

RECOMMENDED ACTIONS FOLLOWING MITIGATION/REMEDIATION:

  • Rotate your Master Encryption Key.
  • Reset all credentials - keys and/or passwords - including for all external trading partners/systems.
  • Review audit logs and delete any suspicious admin and/or web user accounts.

IMPORTANT:

Customers should determine whether their instances included stored credentials for other systems in the environment and make sure those credentials have been revoked. This includes passwords and keys used to access any external systems with which GoAnywhere is integrated. Ensure that all credentials have been revoked from those external systems and review relevant access logs related to those systems. This also includes passwords and keys used to encrypt files within the system.

 

  • Like 4
  • Sad 2
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.