Headline
Clop ransomware is victimizing GoAnywhere MFT customers
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Clop
Tags: ransomware
Tags: GoAnywhere
Tags: CVE-2023-0669
The Clop ransomware gang has claimed responsibility for attacking several GoAnywhere MFT customers by exploiting a vulnerability in the managed file transfer software’s administrative interface.
(Read more…)
The post Clop ransomware is victimizing GoAnywhere MFT customers appeared first on Malwarebytes Labs.
According to information gathered by BleepingComputer, the Clop ransomware group has claimed responsibility for the ransomware attacks that are tied to a vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution.
As we reported on February 8, Fortra released an emergency patch (7.1.2) for an actively exploited zero-day vulnerability found in the GoAnywhere MFT administrator console.
GoAnywhere MFT, which stands for managed file transfer, allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, predominantly ones with over 10,000 employees and 1B USD in revenue.
Some of these organizations are considered vital infrastructure such as local governments, financial companies, healthcare organizations, energy firms, and technology manufacturers.
The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they had used the flaw over ten days to steal data from 130 companies. At the time it was impossible to confirm this claim, but after two earlier victims, Community Health Systems (CHS) and Hatch Bank disclosed that data was stolen in the GoAnywhere MFT attacks, the Clop leak site now shows seven new companies. At least two of them reportedly have been breached using the GoAnywhere MFT vulnerability.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE of the exploited vulnerability is CVE-2023-0669, and described as a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.
It is unknown whether these victims were targeted during the time that there was no patch available for the vulnerability or later. Recent scans showed that around 1,000 administrative consoles are publicly exposed to the internet. The Web Client interface, which is the one that is normally accessible from the public internet, is not susceptible to this exploit, only the administrative interface.
Mitigation
If your GoAnywhere MFT administration portal is exposed to the Internet, you are under urgent advice to download the security patch from the Product Downloads tab at the top of the GoAnywhere account page which you will see after logging in.
If for some reason you can’t install the patch, Fortra says you should follow the mitigation steps it put out, which involves implementing some access control wherein the administrator console interface should only be accessed from trusted sources, or disabling the licensing service altogether. There is also a technical mitigation configuration shared in the advisory that is only visible after logging in (which can be done with a free account if you are interested).
On the file system where GoAnywhere MFT is installed, edit the file [install_dir]/adminroot/WEB_INF/web.xml
Find and remove (delete or comment out) the following servlet and servlet-mapping configuration in the screenshot below.
Before:
<servlet>
<servlet-name>License Response Servlet</servlet-name> <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class> <load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Licenses Response Servlet</servlet-name> <url-pattern>/lic/accept/</url-pattern>
After:
<!–
Add these tags to comment out the following section (as shown) or simply delete this section if you are not familiar with XML comments
<servlet>
<servlet-name>License Response Servlet</servlet-name> <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class> <load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Licenses Response Servlet</servlet-name> <url-pattern>/lic/accept/</url-pattern>
</servlet-mapping>
–>
Restart the GoAnywhere MFT application
If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.
If you have questions, our support team is here to help. Please contact Support via the portal https://my.goanywhere.com/, email [email protected], or phone 402-944-4242 for assistance. “
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
TRY NOW
Related news
The Andariel group is targeting critical defense, aerospace, nuclear, and engineering companies for data theft, the FBI, NSA, and others said.
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
A critical security flaw has been disclosed in Fortra's GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user. Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10. "Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," Fortra&
Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.
Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data. The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The
Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.
After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.
Categories: News Categories: Ransomware Tags: Rubrik Tags: GoAnywhere MFT Tags: Fortra Tags: Clop ransomware Tags: Clop Tags: ransomware Tags: CVE-2023-0669 Tags: zero-day Rubrik, a cloud data management company, has revealed that Clop made use of an infamous GoAnywhere flaw. (Read more...) The post Rubrik is latest victim of the Clop ransomware zero-day campaign appeared first on Malwarebytes Labs.
App-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows - CVE-2022-47986 (CVSS score: 9.8) - IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 (CVSS score: 6.8) - Mitel MiVoice Connect Code Injection
Categories: News Categories: Ransomware Tags: Clop Tags: Clop ransomware Tags: ransomware Tags: GoAnywhere Tags: managed file transfer Tags: MFT Tags: Fortra Tags: CISA Tags: Known Exploited Vulnerabilities Catalog The Clop ransomware gang has claimed responsibility for a wave of attacks that exploited a zero-day in GoAnywhere MFT admin consoles. (Read more...) The post GoAnywhere zero-day opened door to Clop ransomware appeared first on Malwarebytes Labs.
Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild. Included among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges. Details
This Metasploit module exploits an object deserialization vulnerability in Fortra GoAnywhere MFT.
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.