Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

April 20, 2023IRavie LakshmananRansomware / Cyber ​​attack


Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its MFT tool GoAnywhere that has been actively exploited by ransomware actors to steal sensitive data .

The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The company fixed the problem in version 7.1.2 of the software in February 2023, but not before it became a zero-day since January 18.

Fortra, which worked with Palo Alto Networks’ Unit 42, said it became aware of suspicious activity associated with some of the file transfer instances on January 30, 2023.

“The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments,” the company said. “For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments.”

The threat actor further abused the flaw to deploy two additional tools, named “Netcat” and “Errors.jsp”, between January 28, 2023 and January 31, 2023, although it is said that not all installation attempts were successful.

Fortra said it has contacted affected customers directly and found no evidence of unauthorized access to the customers’ systems which have been re-provisioned in a “clean and secure MFTaaS environment”.

Although Netcat is a legitimate program for handling the reading and writing of data across a network, it is currently unknown how the JSP file was used in the attacks.

The investigation also found that CVE-2023-0669 was exploited against a small number of on-premises implementations running a specific configuration of the MFT GoAnywhere solution.

As mitigation, the company recommends that users rotate the encryption master key, reset all credentials, review audit logs, and remove any suspicious user or administrator accounts.

The development comes as Malwarebytes and NCC Group reported an increase in ransomware attacks during the month of March, largely driven by active exploitation of the GoAnywhere MFT vulnerability.

A total of 459 attacks were reported last month alone, a 91% increase from February 2023 and a 62% increase from March 2022.


Learn how to stop ransomware with real-time protection

Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.

Save my seat!

“Ransomware-as-a-service (RaaS) provider Cl0p successfully exploited the GoAnywhere vulnerability and was the most active threat actor observed, with 129 victims in total,” NCC Group said.

The Cl0p exploit is the second time LockBit has been dethroned from the top spot since September 2021. Other frequent ransomware strains include Royal, BlackCat, Play, Black Basta, and BianLian.

It’s worth noting that Cl0p actors previously exploited zero-day flaws in the Accellion File Transfer Appliance (FTA) to breach several targets in 2021.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
Fortra, an Ikaroa company, has recently discovered a zero-day exploit in its popular GoAnywhere Managed File Transfer (MFT) product. This exploit, which has been used in multiple ransomware attacks since December 2020, is an example of a malicious actor exploiting an application that was not previously known to be vulnerable.

What is significant about this news is that the attackers were able to gain access to the application using only a web browser and its default username and password. This demonstrates both the importance of securing your software, as well as the ubiquitous nature of security threats today.

Once the attackers had access to GoAnywhere MFT, they were able to trigger file deletion commands, initiate malicious file transfer processes, and execute code to gain control of administrator functions. Fortunately, Fortra was able to detect the exploit and has been alerting affected customers since December.

To limit the damage caused by this exploit, Fortra has released a patch for GoAnywhere MFT that customers are encouraged to run immediately. Fortra recommends customers strengthen security by disabling default usernames and passwords, enable strong authentication processes, and ensure code which is executed on their servers is from a trusted source.

The exploit used in the recent ransomware attacks is another stark reminder that cyber criminals are creative and persistent in their quest for access to the networks and software of unsuspecting organizations. By following best security practices, and investing in technology such as Ikaroa’s GoAnywhere MFT, businesses can ensure they are protected from the latest threats.


Leave a Reply

Your email address will not be published. Required fields are marked *