Hatch Bank data breach caused by the exploitation of the GoAnywhere MFT zero-day

Fintech platform Hatch Bank disclosed a data breach, hackers exploited a recently discovered zero-day in Fortra GoAnywhere MFT secure file-sharing platform.

Hatch Bank is a fintech firm that provides services to other fintech companies. The company disclosed a data breach and revealed that the attackers have exploited a recently discovered zero-day vulnerability in the company’s Fortra GoAnywhere MFT secure file-sharing system, reported Techcrunch.com.

A data breach notification filed by Hatch Bank with Maine’s attorney general revealed that threat actors exploited the flaw in its GoAnywhere system to access the names and Social Security numbers of 139,493 customers.

“On February 3, 2023, Hatch Bank was notified by Fortra of the incident and learned that its files contained on Fortra’s GoAnywhere site were subject to unauthorized access. Fortra’s investigation determined that there was unauthorized access to the site account from January 30, 2023, to January 31, 2023. Hatch Bank immediately took steps to secure its files and then launched a diligent and comprehensive review of relevant files to determine the information that may have been impacted. Hatch Bank then worked to identify contact information for the impacted individuals. That process completed on February 7, 2023.” reads the notice of data event. “The information that could have been subject to unauthorized access includes name and Social Security number”

In early February, the popular investigator Brian Krebs first revealed details about the zero-day, tracked as CVE-2023-0669, on Mastodon and pointed out that Fortra has yet to share a public advisory at the time.

Fortra immediately addressed the flaw with the release of an emergency security patch and urged customers to install it.

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by the system.

Hatch Bank announced that it is working to implement additional safeguards and training for its employees. The company is providing access to credit monitoring services for one year, through Cyberscout, to the impacted customers.

Hatch Bank is also providing impacted customers with guidance on how to better protect against fraudulent activities, such as identity theft and fraud.

In Mid-February, Community Health Systems (CHS) disclosed a data breach also caused by the exploitation of the zero-day vulnerability in Fortra’s GoAnywhere MFT platform.

The bad news is that multiple experts already released exploits for the CVE-2023-0669 vulnerability, on February 6, 2023, the researcher Florian Hauser of IT security consulting firm Code White released a proof-of-concept (PoC) exploit code.

Researchers at threat intelligence firm Huntress shared the findings of their investigation into GoAnywhere MFT exploitation and linked the attacks to the TA505 threat actors.

Clop ransomware operators recently told BleepingComputer that they were able to compromise over 130 organizations in just ten days, but did not share details regarding their claims.

US CISA also added the GoAnywhere MFT flaw to its  Known Exploited Vulnerabilities Catalog, ordering federal agencies to address it by March 3, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hatch Bank)