ClickCease Fortra's GoAnywhere MFT Utility vulnerable to ransomware

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Fortra’s GoAnywhere MFT Utility vulnerable to ransomware

May 5, 2023 - TuxCare PR Team

Fortra has discovered a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT utility, which has been actively abused by ransomware perpetrators to steal sensitive data.

The CVE-2023-0669 (CVSS score: 7.2) high-severity bug is related to pre-authenticated command injection, which might be exploited for code execution. The vulnerability was patched in software version 7.1.2 in February 2023, but not before it had been weaponized as a zero-day since January 18.

On January 30, 2023, Fortra claimed that it became aware of certain questionable activities relating to specific instances of file transfers. CVE-2023-0669 was used by an unauthorized entity to create unauthorized user accounts in some MFTaaS (Managed File Transfer as a Service) client setups. The unauthorized entity, according to the firm, used these user identities to download files from their hosted MFTaaS environments for some of these clients.

From January 28 to January 31, the attackers also used two more tools, “Netcat” and “Errors.jsp.” Although not all installation attempts were successful, the vulnerability was exploited against a few on-premise instances of the GoAnywhere MFT solution that were running a certain configuration.

Fortra indicated that it personally informed the affected clients, and that it has discovered no evidence of illegal access to customer systems that have been given with a “clean and secure MFTaaS environment.” To address the matter, the business recommends that users cycle the Master Encryption Key, reset all credentials, examine audit logs, and delete any suspicious admin or user accounts.

In a similar development, Malwarebytes and NCC Group observed an increase in ransomware assaults in March, owing mostly to active exploitation of the GoAnywhere MFT vulnerability. In March 2023, 459 assaults were registered, a 91% rise over February 2023 and a 62% increase over March 2022.

After successfully exploiting the GoAnywhere vulnerability, Cl0p, a ransomware-as-a-service (RaaS) provider, was the most active threat actor spotted, with 129 victims in total. Royal, BlackCat, Play, Black Basta, and BianLian were also common ransomware variants. Cl0p attackers already breached many targets in 2021 by exploiting zero-day vulnerabilities in Accellion File Transfer Appliance (FTA).

The sources for this piece include an article in TheHackerNews.

Fortra's GoAnywhere MFT Utility vulnerable to ransomware
Article Name
Fortra's GoAnywhere MFT Utility vulnerable to ransomware
Fortra, a cybersecurity company has discovered a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT utility.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter