GoAnywhere MFT and Cl0p: The Pre-MOVEit Dress Rehearsal

Threat Intelligence

Before MOVEit became the story of 2023, Cl0p ran the same playbook against Fortra's GoAnywhere MFT. CVE-2023-0669 was a deserialization flaw in the admin console; the affiliate program turned it into roughly 100 victim disclosures over months.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 18, 2024 · 8 min read

The MOVEit campaign of May 2023 made Cl0p famous. The GoAnywhere campaign that preceded it by three months made Cl0p ready. CVE-2023-0669 was the kind of bug that should never reach production in 2024: an unauthenticated, internet-exposed admin console combined with a deserialization sink. Cl0p found it first.

Timeline

1. January 30, 2023: Fortra notifies customers of a zero-day in GoAnywhere MFT and recommends disabling the licensing service or restricting admin console exposure. Public CVE is not yet assigned.
2. February 2, 2023: a working proof of concept is posted publicly.
3. February 7, 2023: CVE-2023-0669 is assigned with a CVSS of 7.2.
4. February 10, 2023: Cl0p claims responsibility on its leak site for exploiting the bug against more than 130 organizations. The number is high relative to confirmed victims and includes both companies they reached and companies whose data sat inside reached customers.
5. February through April 2023: a steady cadence of victim listings on the leak site, including Community Health Systems, the City of Toronto, Hatch Bank, Rubrik, and Procter and Gamble.
6. May 2023: Cl0p pivots to MOVEit. The GoAnywhere campaign tail continues for months as victims work through notification.

Root cause

CVE-2023-0669 was a pre-authentication deserialization flaw in the GoAnywhere MFT admin console. An attacker who could reach the admin port could send a crafted request that triggered unsafe Java deserialization and gain code execution as the service account. The structural issue was that many customers had the admin console reachable from the internet. The MFT product's main job is internet-facing file transfer, and the admin interface had drifted into the same exposure tier.

Managed File Transfer products are central to compliance reporting and patient data flows. They are also a single hop from the internet to regulated data.

Attacker actions

Cl0p's operating model is exfiltration without ransomware encryption. The crew dropped web shells, often a Java payload styled to blend with GoAnywhere logs, pulled credentials and configuration, then used the MFT's own data access to exfiltrate files. Victims commonly saw the data theft only after Cl0p posted them to the leak site.

Detection signals

• Anomalous HTTP POSTs to the GoAnywhere admin console from external IPs. The endpoint pattern in the public PoC was specific enough to alert on.
• Java process spawning shell or PowerShell child processes on MFT servers. This is the universal Java-deserialization tell.
• Outbound transfers from the MFT server to non-customer destinations, especially MEGA or other cloud storage hosts during off-hours.
• New scheduled tasks or systemd units that did not come from a Fortra-signed installer.

Lessons

• Audit your MFT inventory. GoAnywhere, MOVEit, Accellion, Cleo: each has had a Cl0p-class incident. Knowing where they live is step one.
• Remove admin interfaces from the public internet. VPN, bastion, or zero-trust proxy only.
• Egress filter MFT servers. They should talk to specific customer endpoints, not arbitrary cloud storage.
• Subscribe to vendor security advisories with an SLA on action. The GoAnywhere advisory pre-dated the public PoC by three days. Teams that acted on day one were not in the victim list.

GoAnywhere is the campaign defenders should still talk about more than they do. It established the MFT zero-day plus mass exploitation plus quiet exfiltration pattern that MOVEit then scaled. The next entry in the pattern is on the calendar; the only question is which vendor's logo will be on it.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.