GoAnywhere MFT hit by ransomware group following discovery of critical vulnerability.
According to reports, the Clop ransomware operators have asserted that they are behind the recent attacks exploiting a 0-day vulnerability in GoAnywhere MFT, a secure file transfer tool. They claim to have exfiltrated data from 130 organizations as a result of the vulnerability.
GoAnywhere MFT is a file transfer tool designed to help organizations securely exchange files with partners and maintain audit logs of who accessed shared files. It was created by Fortra (formerly known as HelpSystems), the same company behind the widely-used Cobalt Strike penetration testing tool. It can be used for network security testing and identifying vulnerabilities. However, it has also been used by cybercriminals as a part of their attack toolkit for conducting post-exploitation activities on compromised systems. Some of the functionalities of CobaltStrike include launching command and control servers, deploying payloads, and performing privilege escalation and lateral movement on the compromised network.
Early in February, it was reported that RCE exploits and attacks on GoAnywhere MFT had been discovered, resulting in the temporary suspension of their SaaS service.
However, it was emphasised that exploiting the vulnerability requires access to the administrative console, which should not be available over the internet in normal conditions. Nevertheless, Shodan has identified approximately 1,000 publicly available instances of GoAnywhere, with only around 140 installations using the vulnerable admin console ports 8000 and 8001.
On February 7, 2023, Fortra released an emergency patch for this 0-day vulnerability and urged all customers to install it as soon as possible. The vulnerability was assigned CVE-2023-0669 and does indeed allow remote execution of arbitrary code in GoAnywhere MFT if the admin console is accessible over the internet.
According to the cyber security website Bleeping Computer, the operators of the Clop ransomware have claimed to have successfully exploited this bug to breach a large number of companies. The hackers also stated that they could have used the vulnerability to move laterally within their victims’ networks and deploy ransomware payloads, but chose only to steal documents stored on compromised GoAnywhere MFT servers.
Clop has also been linked to ransomware attacks worldwide since at least 2019. Some victims that had their servers encrypted by Clop include Maastricht University, Software AG IT, ExecuPharm, and Indiabulls.
It has not been possible to confirm or refute the hackers’ claims. However, expert Joe Slowik from Huntress Threat Intelligence was able to link the attacks on GoAnywhere MFT to the TA505 group, who are known to have deployed the Clop ransomware in the past.
What we know about TA505
TA505 is a known hacking group that has been active since at least 2014. The group is believed to be based in Russia and has been linked to a wide range of cyber attacks, including malware campaigns, phishing scams, and ransomware attacks.
TA505 has been known to use a variety of different malware strains, including the Dridex banking Trojan, Locky ransomware, and the AndroMut Android banking Trojan. The group has also been linked to the development and distribution of other types of malware, such as the Jaff ransomware and the ServHelper remote access Trojan.
The group is known for its sophisticated attack techniques, which often involve extensive reconnaissance, social engineering, and targeted spear-phishing campaigns. TA505 has been known to target a variety of industries, including banking and finance, healthcare, and retail.
Despite the group’s notoriety, its members have managed to evade arrest and prosecution, and the group remains active to this day.
Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.