Fraud Management & Cybercrime , Governance & Risk Management , Privacy

Clop Ransomware Claims Widespread GoAnywhere MFT Exploits

Experts Urge Rapid File Transfer Software Patching to Fix Zero-Day Vulnerability
Clop Ransomware Claims Widespread GoAnywhere MFT Exploits
Image: Fortra

Attackers are actively exploiting a zero-day vulnerability in widely used managed file transfer software GoAnywhere MFT to take full control of systems, and in some cases to deploy ransomware.

See Also: From Epidemic to Opportunity: Defend Against Authorized Transfer Scams

Security experts report that the flaw, which is present in the software's administrator console, can be exploited without having to authenticate or otherwise log into the console, and gives attackers shell access to servers. More than 1,000 administrator ports for the software appear to remain exposed to the internet and at risk of being exploited.

The vulnerability, designated CVE-2023-0669, exists in versions of GoAnywhere MFT - aka managed file transfer - prior to 7.1.2. The software is sold by Fortra, formerly known as HelpSystems.

"GoAnywhere MFT contains a pre-authentication remote code-execution vulnerability in the License Response Servlet due to deserializing an attacker-controlled object," the U.S. Cybersecurity and Infrastructure Security Agency warns in its Known Exploited Vulnerabilities Catalog.

Fortra's initial security alert, issued Feb. 1, advised users to disable the servlet, and provided instructions for doing so. On Tuesday, Fortra released version 7.1.2 of the software, which patches the problem without having to disable the servlet.

"We urgently advise all GoAnywhere MFT customers to apply this patch," the company says in its security alert. "Particularly for customers running an admin portal exposed to the internet, we consider this an urgent matter." It also recommends that all users ensure access controls are in place for any internet-exposed administrative consoles.

The company says all current users should upgrade immediately to GoAnywhere MFT 7.1.2 to fully remediate this vulnerability. "Be sure to download the upgrader, not the installer."

The software can be deployed on-premises; in the cloud via such platforms as AWS and Microsoft Azure; via a hosted, software-as-a-service plan offered by Fortra; and within hybrid environments.

Clop Claims Victims

At least one ransomware group claims to have already been exploiting the flaw to amass victims. Bleeping Computer reports that the Clop ransomware gang proactively reported Friday that over the preceding 10 days, it had exploited the flaw to breach networks used by 130 different organizations. The gang's claims could not be verified.

Joe Slowik, threat intelligence manager at managed security platform provider Huntress, reported on Wednesday that a recent attack that targeted GoAnywhere MFT may trace to a group that has previously deployed Clop ransomware.

Slowik says the attack against a managed host that it was monitoring occurred on Feb. 2, and the host appeared to suffer "a web server compromise of some kind, which resulted in the download and execution of a malicious file" on a system that was "designated for GoAnywhereMFT services."

Based on an analysis of a DLL file used in the attack, Slowik reports that the malware appears to be an updated version of Truebot malware, which has been used to gain initial access to a victim's network by the Russian-language Silence group, which was first spotted in 2016. Its activities have been linked to those of the cybercrime group with the codename TA505, and include Clop ransomware distribution.

"Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose," Slowik reports.

Security Alert: Access Hurdle

The first known attacks to exploit this flaw began Jan. 25. The company recommends all users review their goanywhere.log files for signs of suspicious activity, including admin user or web user accounts with unrecognized usernames, as well as accounts being created when no one legitimate would likely have done so.

Accessing details of the vulnerability requires first creating an account with Fortra. While doing so is free, security experts have criticized the company for not making details directly accessible.

"Hiding security advisories behind a customer portal is something we heavily discourage," says security firm Rapid7 in its vulnerability analysis. "It's optimal when this type of information is public so users can stay informed and protect themselves as easily as possible."

Instead, the first public details of the alert came courtesy of cybersecurity blogger Brian Krebs, who on Feb. 2 cut and posted the security notification into a Mastodon post.

In response to Krebs' post, cybersecurity expert Kevin Beaumont reported that day that a Shodan search was turning up 1,008 potentially vulnerable systems, and port 8000 was being used by 153 of them. "Port 8000 (non-HTTPS) and 8001 (HTTPS) are the admin ports," he said in a Mastodon post. "Almost all the admin ports exposed to internet are port 8000, because why use encryption."

As of Monday, a Shodan search showed that the number of potentially exposed admin interfaces had increased to 1,031, although instances with port 8000 enabled had dropped from 153 to 137.

Proof-of-Concept Exploit Code

After details of the flaw became public on Feb. 1, proof-of-concept exploit code quickly followed.

On Feb. 6, security researcher and professional red teamer Florian Hauser, aka @frycos, published details of the underlying deserialization bug and a proof-of-concept exploit for the flaw.

On Wednesday, Rapid7 published its own proof-of-concept code for exploiting the flaw. It reports that the vulnerability can be exploited by gaining remote access to GoAnywhere MFT's administration port, which is set to port 8000 by default, "but this can also be exploited via an internal user's browser."

An exploit for the flaw was added Thursday to the Metasploit open-source penetration testing framework.

Among the many GoAnywhere MFT users is CISA, which is part of the Department of Homeland Security. CISA uses the software for its secure file-drop service, which enables individuals to submit information or malicious files for review. CISA's service had been suspended - presumably until a patch was in place - but on Monday morning was restored.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.