The Clop ransomware group claims to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.
Fortra immediately addressed the flaw with the release of emergency security patch and urged customers to install it.
The popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.
“GoAnywhere MFT, a popular file transfer application, is warning about a zero-day remote code injection exploit. The company said it has temporarily implemented a service outage in response.” Krebs wrote on Mastodon. “I had to create an account on the service to find this security advisory”
According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.
Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.
Fortra recommends GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system.
Clop told BleepingComputer that they were able to compromise over 130 organizations in just ten days, but did not share details regarding their claims.
The crooks also claims to have fully compromised the network organizations, but did not deploy any ransomware.
Multiple experts already released exploits for the CVE-2023-0669 vulnerability, on February 6, 2023, the researcher Florian Hauser of IT security consulting firm Code White released a proof-of-concept (PoC) exploit code.
Ron Bowes, lead security researcher at Rapid7 announced they have merged their exploit for Fortra’s GoAnywhere MFT into Metasploit
Researchers at threat intelligence firm Huntress shared findings of their investigation into GoAnywhere MFT exploitation and linked the attacks to the TA505 threat actors.
“While links are not authoritative, analysis of Truebot activity and deployment mechanisms indicate links to a group referred to as TA505. Distributors of a ransomware family referred to as Clop, reporting from various entities links Silence/Truebot activity to TA505 operations.” reads the analysis published by Huntress. “Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose.”
This week CISA also added the GoAnywhere MFT flaw to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to address it by March 3, 2023.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Clop ransomware)