Clop Ransomware Claims Widespread GoAnywhere MFT ExploitsExperts Urge Rapid File Transfer Software Patching to Fix Zero-Day Vulnerability
Attackers are actively exploiting a zero-day vulnerability in widely used managed file transfer software GoAnywhere MFT to take full control of systems, and in some cases to deploy ransomware.
See Also: 2022 Unit 42 Incident Response Report
Security experts report that the flaw, which is present in the software's administrator console, can be exploited without having to authenticate or otherwise log into the console, and gives attackers shell access to servers. More than 1,000 administrator ports for the software appear to remain exposed to the internet and at risk of being exploited.
The vulnerability, designated CVE-2023-0669, exists in versions of GoAnywhere MFT - aka managed file transfer - prior to 7.1.2. The software is sold by Fortra, formerly known as HelpSystems.
"GoAnywhere MFT contains a pre-authentication remote code-execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object," the U.S. Cybersecurity and Infrastructure Security Agency warns in its Known Exploited Vulnerabilities Catalog.
Fortra's initial security alert, issued Feb. 1, advised users to disable the servlet, and provided instructions for doing so. On Tuesday, Fortra released version 7.1.2 of the software, which patches the problem without having to disable the servlet.
"We urgently advise all GoAnywhere MFT customers to apply this patch," the company says in its security alert. "Particularly for customers running an admin portal exposed to the internet, we consider this an urgent matter." It also recommends that all users ensure access controls are in place for any internet-exposed administrative consoles.
The company says all current users should upgrade immediately to GoAnywhere MFT 7.1.2 to fully remediate this vulnerability. "Be sure to download the upgrader, not the installer."
The software can be deployed on-premises; in the cloud via such platforms as AWS and Microsoft Azure; via a hosted, software-as-a-service plan offered by Fortra; and within hybrid environments.
Clop Claims Victims
At least one ransomware group claims to have already been exploiting the flaw to amass victims. Bleeping Computer reports that the Clop ransomware gang proactively reported Friday that over the preceding 10 days, it had exploited the flaw to breach networks used by 130 different organizations. The gang's claims could not be verified.
Joe Slowik, threat intelligence manager at managed security platform provider Huntress, reported on Wednesday that a recent attack that targeted GoAnywhere MFT may trace to a group that has previously deployed Clop ransomware.
Slowik says the attack against a managed host that it was monitoring occurred on Feb. 2, and the host appeared to suffer "a web server compromise of some kind, which resulted in the download and execution of a malicious file" on a system that was "designated for GoAnywhereMFT services."
Based on an analysis of a DLL file used in the attack, Slowik reports that the malware appears to be an updated version of Truebot malware, which has been used to gain initial access to a victim's network by the Russian-language Silence group, which was first spotted in 2016. Its activities have been linked to those of the cybercrime group with the codename TA505, and include Clop ransomware distribution.
"Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose," Slowik reports.
Security Alert: Access Hurdle
The first known attacks to exploit this flaw began Jan. 25. The company recommends all users review their
goanywhere.log files for signs of suspicious activity, including admin user or web user accounts with unrecognized usernames, as well as accounts being created when no one legitimate would likely have done so.
Accessing details of the vulnerability requires first creating an account with Fortra. While doing so is free, security experts have criticized the company for not making details directly accessible.
"Hiding security advisories behind a customer portal is something we heavily discourage," says security firm Rapid7 in its vulnerability analysis. "It's optimal when this type of information is public so users can stay informed and protect themselves as easily as possible."
Instead, the first public details of the alert came courtesy of cybersecurity blogger Brian Krebs, who on Feb. 2 cut and posted the security notification into a Mastodon post.
In response to Krebs' post, cybersecurity expert Kevin Beaumont reported that day that a Shodan search was turning up 1,008 potentially vulnerable systems, and port 8000 was being used by 153 of them. "Port 8000 (non-HTTPS) and 8001 (HTTPS) are the admin ports," he said in a Mastodon post. "Almost all the admin ports exposed to internet are port 8000, because why use encryption."
As of Monday, a Shodan search showed that the number of potentially exposed admin interfaces had increased to 1,031, although instances with port 8000 enabled had dropped from 153 to 137.
Proof-of-Concept Exploit Code
After details of the flaw became public on Feb. 1, proof-of-concept exploit code quickly followed.
On Wednesday, Rapid7 published its own proof-of-concept code for exploiting the flaw. It reports that the vulnerability can be exploited by gaining remote access to GoAnywhere MFT's administration port, which is set to port 8000 by default, "but this can also be exploited via an internal user's browser."
An exploit for the flaw was added Thursday to the Metasploit open-source penetration testing framework.
Among the many GoAnywhere MFT users is CISA, which is part of the Department of Homeland Security. CISA uses the software for its secure file-drop service, which enables individuals to submit information or malicious files for review. CISA's service had been suspended - presumably until a patch was in place - but on Monday morning was restored.