Fortra Describes the GoAnywhere MFT Zero-Day Exploitation Used in Ransomware Attacks
Fortra, the company behind Cobalt Strike, describes a zero-day remote code execution (RCE) vulnerability in its MFT GoAnywhere tool that ransomware actors have actively exploited to steal sensitive data.
High-severity disability, tracked as CVE-2023-0669 (CVSS score: 7.2), deals with cases of injection of pre-authenticated commands that can be abused to achieve code execution. The issue was patched by the company in software version 7.1.2 in February 2023, but before weaponization as day zero since January 18th.
Fortra, which works with Palo Alto Networks Unit 42, said it had become aware of suspicious activity related to several file transfer cases on January 30, 2023.
“Unauthorized parties used CVE-2023-0669 to create unauthorized user accounts in multiple MFTaaS customer environments,” the company said. said. “For some of these customers, unauthorized parties exploit these user accounts to download files from the hosted MFTaaS environment.”
Threat actors further abused the vulnerability to deploy two additional tools, dubbed “netcat” and “Errors.jsp,” between January 28, 2023 and January 31, 2023, although not all installation attempts were said to be successful.
Fortra said it is directly reaching out to affected customers, and has found no signs of unauthorized access to customer systems that have been reorganized into a “clean and secure MFTaaS environment.”
While Netcat is a legitimate program for managing reading and writing data over a network, it’s currently unknown how JSP file used in the attack.
The investigation also found that CVE-2023-0669 was exploited against a small number of local implementations running specific configurations of the GoAnywhere MFT solution.
As a mitigation, the company recommends that users rotate Master Encryption Keys, reset all credentials, review audit logs, and remove suspicious admin or user accounts.
Development comes as Malwarebytes And NCC Group reported a spike in ransomware attacks during the month of March, driven in large part by the active exploitation of the MFT GoAnywhere vulnerability.
A total of 459 attacks were recorded last month alone, a 91% increase from February 2023 and a 62% jump when compared to March 2022.
Surviving Fraud: Advancing Zero Trust Security
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
“The ransomware-as-a-service (RaaS) provider, Cl0p, successfully exploited the GoAnywhere vulnerability and was the most active threat actor observed, with a total of 129 victims,” said the NCC Group.
The Cl0p exploit marked the second time LockBit has been knocked off the top spot since September 2021. Other common types of ransomware include Royal, BlackCat, Play, Black Basta, and BianLian.
It should be noted that actor Cl0p previously exploited a zero-day flaw in the Accellion File Transfer Appliance (FTA) to breach multiple targets in 2021.
