A new flaw in Fortra’s GoAnywhere Managed File Transfer (MFT) software was disclosed on January 22, 2024 in an advisory from the company, though it was initially patched in early December.
The vulnerability involves an authentication bypass issue which, when exploited, would enable an attacker to create new users, including new user accounts with administrator privileges on the vulnerable MFT instance.
An attacker could use these elevated privileges to steal data, which could then be used in extortion campaigns against victims.
“Notably, GoAnywhere was targeted by the Cl0p ransomware group last year, leveraging a zero-day vulnerability (CVE-2023-0669), to compromise data from several organisations,” said Satnam Narang, sr. staff research engineer, Tenable.
The group, claiming to have stolen data from “over 130 organisations” demonstrated a particular focus on file transfer solutions like GoAnywhere along with several others including Accellion File Transfer Appliance and Progress Software’s MOVEit Transfer solution.”
“ There’s a potential that CIop and other ransomware groups may exploit this new vulnerability in upcoming attacks, especially since a public proof-of-concept exploit is available.”
“Historically, once a public proof-of-concept has been released, we see an uptick in exploit scanning activity, searching for vulnerable instances, which often escalates into mass exploitation.”
“Organisations that use GoAnywhere MFT are strongly encouraged to apply the available patch as soon as possible. In cases where immediate patching isn’t feasible, there are mitigation instructions that can be applied to thwart exploitation attempts.” Concluded Narang.
