Security
Headlines
HeadlinesLatestCVEs

Headline

Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw

After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.

DARKReading
#vulnerability#web#intel#rce#auth#zero_day

A vulnerability in a commonly used file transfer service called GoAnywhere has allowed the Clop ransomware group to breach about 130 organizations. Weeks later, details are still emerging about the sprawling attack.

Up until now, those details weren’t coming from GoAnywhere parent company Fortra. It’s been the victim organization making headlines with public data breach disclosures. GoAnywhere customers which have disclosed that they were breached through the GoAnywhere MFT remote code execution vulnerability, tracked under CVE-2023-0669, so far include Community Health Systems, Hatch Bank, cybersecurity company Rubrik, Hitachi Energy, and the City of Toronto, which, when totaled up, represent the exposure of millions of people’s private data to the worst cybercriminal elements.

Clop cybercriminals were eager to provide details of their campaign, claiming on their leak site they used the exploit over the course of 10 days to breach more than 130 companies, according to reports.

For its part, Forta has remained publicly quiet about the steady stream of disclosures. But today, it gave Dark Reading a statement with reassurances that it’s committed to helping its customers navigate what is evolving into a communications, as well as a cybersecurity, crisis for the company.

“On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution,” Fortra says in a statement issued to Dark Reading. “We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorized activity, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying a developed patch.”

Fortra added that it remains committed to supporting its affected users.

“We are working diligently to notify customers who may have been impacted and we coordinated with CISA to add information about this vulnerability to their CVE catalog to broaden the reach of information about this issue,” Fortra’s spokesperson’s statement adds. “We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue.”

Fortra’s Communications Under Fire

First reports of the GoAnywhere zero-day were shared on Feb. 2 by cybersecurity news site KrebsOnSecurity, which, after finding the advisory stuffed behind a login page, simply pasted the information for the public to see. Days later a patch was issued by Fortra. Betting on patch lagging, in the ensuing days, the Clop ransomware threat actors were able to take advantage. On Feb. 10, the Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its list of known exploited vulnerabilities catalog.

Nonetheless, companies have continued to get caught up in the ongoing campaign. And despite Fortra’s assurances, cybersecurity analysts, experts, and watchers are widely critical of the company’s lack of communication and slow response in offering guidance to victims and targets. The attack surface is broad, too, it should be noted: According to its website, GoAnywhere is used at more than 3,000 organizations to manage documents of all kinds. And according to data from Enlyft, most of those are large organizations — with at least 1,000 and often more than 10,000 employees — mostly based in the United States.

“This one wasn’t communicated well, challenging even the best security teams to respond,” Heath Renfrow, co-founder of Fenix24 tells Dark Reading in response to the freshly issued statement from Fortra. “This is a good example of how it is necessary for security professionals to have multiple sources of threat intelligence — beyond just their providers — to cover every base. That said, it has been communicated now and anyone using the solution should patch immediately.”

Slow communication can be especially detrimental in a software supply chain attack scenario, Dirk Schrader, vice president of security research at Netwrix said.

“To prevent further evolvement of a supply chain attack, it is crucial for the first victim in line to communicate openly and in detail about what happened,” he noted via email. “It helps other links in this chain to be prepared for an upcoming threat and minimizes possible damage. It is likely that the current attack was accelerated due to details about this zero-day not being disclosed in a timely manner.”

Dark Reading asked Fortra for a response to the criticism of its handling of the cybersecurity incident but has not received a response. Meanwhile, Forta’s customer, the City of Toronto, when asked about its communications with Fortra regarding the breach, gave a simple response by email: “Fortra has been communicating with the City and continues to do so.”

This isn’t the first time users of Clop ransomware have pulled off a mass breach like this. Russian-based FIN11 used Clop ransomware in December 2020 to jump on a similar Accellion zero-day flaw.

Related news

Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs

Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.

Patch Your GoAnywhere MFT Immediately - Critical Flaw Lets Anyone Be Admin

A critical security flaw has been disclosed in Fortra's GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user. Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10. "Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," Fortra&

Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements

Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.

Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data. The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The

Goanywhere Encryption Helper 7.1.1 Remote Code Execution

Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.

Rubrik is latest victim of the Clop ransomware zero-day campaign

Categories: News Categories: Ransomware Tags: Rubrik Tags: GoAnywhere MFT Tags: Fortra Tags: Clop ransomware Tags: Clop Tags: ransomware Tags: CVE-2023-0669 Tags: zero-day Rubrik, a cloud data management company, has revealed that Clop made use of an infamous GoAnywhere flaw. (Read more...) The post Rubrik is latest victim of the Clop ransomware zero-day campaign appeared first on Malwarebytes Labs.

Clop ransomware is victimizing GoAnywhere MFT customers

Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Clop Tags: ransomware Tags: GoAnywhere Tags: CVE-2023-0669 The Clop ransomware gang has claimed responsibility for attacking several GoAnywhere MFT customers by exploiting a vulnerability in the managed file transfer software's administrative interface. (Read more...) The post Clop ransomware is victimizing GoAnywhere MFT customers appeared first on Malwarebytes Labs.

Threat Source newsletter (Feb. 23, 2023) — Social media sites are making extra security a paid

App-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.

U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows - CVE-2022-47986 (CVSS score: 9.8) - IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 (CVSS score: 6.8) - Mitel MiVoice Connect Code Injection

GoAnywhere zero-day opened door to Clop ransomware

Categories: News Categories: Ransomware Tags: Clop Tags: Clop ransomware Tags: ransomware Tags: GoAnywhere Tags: managed file transfer Tags: MFT Tags: Fortra Tags: CISA Tags: Known Exploited Vulnerabilities Catalog The Clop ransomware gang has claimed responsibility for a wave of attacks that exploited a zero-day in GoAnywhere MFT admin consoles. (Read more...) The post GoAnywhere zero-day opened door to Clop ransomware appeared first on Malwarebytes Labs.

Massive GoAnywhere RCE Exploit: Everything You Need to Know

Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.

CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild. Included among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges. Details

Fortra GoAnywhere MFT Unsafe Deserialization Remote Code Execution

This Metasploit module exploits an object deserialization vulnerability in Fortra GoAnywhere MFT.

CVE-2023-0669: Customer Portal

Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel