Cyber Crime

Clop ransomware claims the hack of 130 orgs using GoAnywhere MFT flaw

The Clop ransomware group claims to have breached over 130 organizations exploiting the GoAnywhere MFT zero-day.

The Clop ransomware group claims to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.

Fortra immediately addressed the flaw with the release of emergency security patch and urged customers to install it.

The popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

“GoAnywhere MFT, a popular file transfer application, is warning about a zero-day remote code injection exploit. The company said it has temporarily implemented a service outage in response.” Krebs wrote on Mastodon. “I had to create an account on the service to find this security advisory”

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system.

Clop told BleepingComputer that they were able to compromise over 130 organizations in just ten days, but did not share details regarding their claims.

The crooks also claims to have fully compromised the network organizations, but did not deploy any ransomware.

Multiple experts already released exploits for the CVE-2023-0669 vulnerability, on February 6, 2023, the researcher Florian Hauser of IT security consulting firm Code White released a proof-of-concept (PoC) exploit code.

Ron Bowes, lead security researcher at Rapid7 announced they have merged their exploit for Fortra’s GoAnywhere MFT into Metasploit

Researchers at threat intelligence firm Huntress shared findings of their investigation into GoAnywhere MFT exploitation and linked the attacks to the TA505 threat actors.

“While links are not authoritative, analysis of Truebot activity and deployment mechanisms indicate links to a group referred to as TA505Distributors of a ransomware family referred to as Clop, reporting from various entities links Silence/Truebot activity to TA505 operations.” reads the analysis published by Huntress. “Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose.”

This week CISA also added the GoAnywhere MFT flaw to its  Known Exploited Vulnerabilities Catalog, ordering federal agencies to address it by March 3, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Clop ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

1 hour ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

8 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

19 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

24 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.