Ransomware

GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks

The exploitation of a GoAnywhere MFT zero-day vulnerability has been linked to a cybercrime group and ransomware attacks.

Published

The exploitation of a GoAnywhere MFT zero-day vulnerability has been linked to a cybercrime group and ransomware attacks.

The recent exploitation of a zero-day vulnerability in the GoAnywhere managed file transfer (MFT) software has been linked by a cybersecurity firm to a known cybercrime group that has likely attempted to exploit the flaw in a ransomware attack. 

On February 1, Fortra alerted GoAnywhere MFT users about a zero-day remote code injection exploit. The vendor immediately provided indicators of compromise (IoCs) and mitigations, but released a patch only a week later. 

Users, particularly those who are running an admin portal that is exposed to the internet, have been instructed to urgently install the patch. 

There appear to be more than 1,000 internet-exposed instances of GoAnywhere. However, according to the vendor, exploitation requires access to the application’s admin console, and at least some of the exposed instances are associated with the product’s web client interface, which is not impacted. 

No information was made available about the attacks exploiting the vulnerability, but managed endpoint detection and response firm Huntress reported this week that these attacks may have been conducted by a known cybercrime group. The company reached the conclusion after analyzing an attack detected in a customer environment on February 2.

Huntress has linked the attack to a malware family named Truebot, which was previously associated with a Russian-speaking threat actor named Silence. This group has also been linked to TA505, a threat group known for distributing the notorious Cl0p ransomware

Advertisement. Scroll to continue reading.

“Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose,” Huntress said in a blog post.

Cybersecurity firm Rapid7 has analyzed the vulnerability and assigned it the CVE identifier CVE-2023-0669. While the product does not belong to Rapid7, the company is a CVE Numbering Authority and it can assign CVEs to flaws found in the products of other vendors. 

Related: Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

Related: Decade-Old Adobe ColdFusion Vulnerabilities Exploited by Ransomware Gang

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

In this article:, ,

Related Content

Ransomware

Ransomware

BlueHammer Vulnerability Exploited in Ransomware Attacks

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

6 hours ago

Data Breaches

More Klue Breach Victims Identified as Hackers Get Hacked

Roughly two dozen companies have notified their customers of the Klue-Salesforce incident impact.

4 days ago

Malware & Threats

Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack

The attackers deployed a new Go-based backdoor that uses Microsoft Teams servers for command-and-control.

June 17, 2026

Ransomware

Ransomware Attack Shuts Down Mills of Australia’s Second-Largest Sugar Producer

Mackay Sugar was targeted in a cyberattack carried out by a threat group known as The Gentlemen.

June 15, 2026

Cybercrime

Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges

Oleksii Oleksiyovych Lytvynenko admitted to working on the development of a loader for the Conti gang.

June 15, 2026

Ransomware

Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks

The authentication bypass vulnerability allows attackers to establish VPN connections without a valid password.

June 9, 2026

Ransomware

Silent Ransom Group Uses DNS Fast Flux in Attacks

Focusing on hacking law firms in the US, the ransomware group relies on fast flux to hide its C&C infrastructure.

June 8, 2026

Data Breaches

American Lending Center Data Breach Affects 123,000 Individuals

The non-bank lender discovered a ransomware attack nearly one year ago, but only recently completed its investigation.

May 15, 2026

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version