A zero-day vulnerability in the GoAnywhere MFT secure file transfer tool has allegedly been exploited by the Clop ransomware gang to attack more than 130 organizations. The vulnerability – CVE-2023-0669 – can be remotely exploited to gain access to unpatched GoAnywhere MFT instances that have their admin console exposed to the Internet. Successful exploitation of the flaw will allow arbitrary code to be executed.
BleepingComputer says it was contacted by a member of the Clop ransomware group who claimed to have exploited the vulnerability in more than 130 attacks over a period of around 10 days, and that after exploiting the flaw the gang was able to move laterally and identify and exfiltrate data. As is now becoming increasingly common, ransomware gangs are choosing to conduct extortion-only attacks. While the Clop gang would have been able to encrypt files, the decision was made not to do so and only exfiltrate data for extortion purposes.
Similar tactics were used in attacks on the Accellion File Transfer Appliance (FTA) in 2021. In those attacks, the decision was also taken to steal data for extortion and not deploy ransomware to encrypt files. The attacks were attributed to a threat group called FIN11, which has known to have used Clop ransomware in the past. The stolen data was then added to the Clop data leak site to pressure victims into paying the ransom.
Fortra, the developer of GoAnywhere MFT, issued a security alert last week confirming a zero-day vulnerability had been identified which was being actively exploited in the wild. This week, a proof-of-concept exploit was publicly released that allows remote code execution. A patch has yet to be released to fix the flaw, which affects both the on-premises and SaaS implementations of the solution. The recommended mitigation until a patch is released is not to expose the admin console to the Internet. The recommended implementation is to make the admin console available only from within a private company network, or if remote access is required, to allow-list specific IP addresses or require a VPN to be used.
The recommended mitigation is to access the file system where GoAnywhere MFT is installed and edit the “[install_dir]/adminroot/WEB_INF/web.xml” file and remove the servlet and servlet-mapping configuration, as detailed in the security alert, and available here, then restart the application.