Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

Apr 20, 2023Ravie LakshmananRansomware / Cyber Attack

Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data.

The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The issue was patched by the company in version 7.1.2 of the software in February 2023, but not before it was weaponized as a zero-day since January 18.

Fortra, which worked with Palo Alto Networks Unit 42, said it was made aware of suspicious activity associated with some of the file transfer instances on January 30, 2023.

“The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments,” the company said. “For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments.”

The threat actor further abused the flaw to deploy two additional tools, dubbed “Netcat” and “Errors.jsp,” between January 28, 2023 and January 31, 2023, although not every installation attempt is said to have been successful.

Fortra said it directly reached out to affected customers, and that it has not found any sign of unauthorized access to customer systems that have been reprovisioned a “clean and secure MFTaaS environment.”

While Netcat is a legitimate program for managing reading and writing data over a network, it’s currently not known how the JSP file was used in the attacks.

The investigation also found that CVE-2023-0669 was exploited against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution.

As recommendations, the company is recommending that users rotate the Master Encryption Key, reset all credentials, review audit logs, and delete any suspicious admin or user accounts.

The development comes as Malwarebytes and NCC Group reported a spike in ransomware attacks during the month of March, largely driven by active exploitation of the GoAnywhere MFT vulnerability.

A total of 459 attacks were recorded last month alone, a 91% increase from February 2023 and a 62% jump when compared to March 2022.

“The ransomware-as-a-service (RaaS) provider, Cl0p, successfully exploited the GoAnywhere vulnerability and was the most active threat actor observed, with 129 victims in total,” NCC Group said.

Cl0p’s exploitation spree marks the second time LockBit has been knocked off the top spot since September 2021. Other prevalent ransomware strains included Royal, BlackCat, Play, Black Basta, and BianLian.

It’s worth noting that the Cl0p actors previously exploited zero-day flaws in Accellion File Transfer Appliance (FTA) to breach several targets in 2021.