Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks

The exploitation of a GoAnywhere MFT zero-day vulnerability has been linked to a cybercrime group and ransomware attacks.

The recent exploitation of a zero-day vulnerability in the GoAnywhere managed file transfer (MFT) software has been linked by a cybersecurity firm to a known cybercrime group that has likely attempted to exploit the flaw in a ransomware attack. 

On February 1, Fortra alerted GoAnywhere MFT users about a zero-day remote code injection exploit. The vendor immediately provided indicators of compromise (IoCs) and mitigations, but released a patch only a week later. 

Users, particularly those who are running an admin portal that is exposed to the internet, have been instructed to urgently install the patch. 

There appear to be more than 1,000 internet-exposed instances of GoAnywhere. However, according to the vendor, exploitation requires access to the application’s admin console, and at least some of the exposed instances are associated with the product’s web client interface, which is not impacted. 

No information was made available about the attacks exploiting the vulnerability, but managed endpoint detection and response firm Huntress reported this week that these attacks may have been conducted by a known cybercrime group. The company reached the conclusion after analyzing an attack detected in a customer environment on February 2.

Huntress has linked the attack to a malware family named Truebot, which was previously associated with a Russian-speaking threat actor named Silence. This group has also been linked to TA505, a threat group known for distributing the notorious Cl0p ransomware

“Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose,” Huntress said in a blog post.

Cybersecurity firm Rapid7 has analyzed the vulnerability and assigned it the CVE identifier CVE-2023-0669. While the product does not belong to Rapid7, the company is a CVE Numbering Authority and it can assign CVEs to flaws found in the products of other vendors. 

Advertisement. Scroll to continue reading.

Related: Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

Related: Decade-Old Adobe ColdFusion Vulnerabilities Exploited by Ransomware Gang

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.