- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Clop Ransomware Group Exploits GoAnywhere MFT Flaw
The ransomware gang known as Clop has been observed exploiting a pre-authentication command injection vulnerability (CVE-2023-0669) in Fortra’s file transfer solution GoAnywhere MFT.
The high-level vulnerability has a CVSS:3.1 score of 7.2 and was exploited against several companies in the US and elsewhere, according to a new advisory by security experts at CloudSEK.
The flaw derives from a deserialization bug that can be exploited by sending a post request to the endpoint. CloudSEK warned that a Metasploit module is also available to take advantage of the vulnerability.
“The exploit for this CVE was available a day before the patch (7.1.2) was released on February 7 2023. Many vulnerable admin panels of GoAnywhere were found to be indexed on Shodan [a search engine for Internet-connected devices] running on port 8000,” reads the technical write-up.
The company clarified that only the GoAnywhere administrative interface was vulnerable to the exploit used by the Clop ransomware group and not the web client interface used by most people.
Read more on Clop here: Members of Clop Ransomware Gang Arrested in Ukraine
Still, threat actors could search for web client interfaces on the internet and then try to find admin panels on the same IP.
“Shodan search results indicate that thousands of web panels for GoAnywhere are exposed on the web,” CloudSEK wrote. “Of these thousands, around 94 of them are running on port 8000 or port 8001 where the admin panel […] is located. In order to obtain remote code execution, only a post request needs to be made to the vulnerable endpoint.”
To mitigate the impact of this vulnerability, CloudSEK advised system defenders to update their machines to the latest GoAnywhere version as well as stop exposing port 8000 (the internet location of the GoAnywhere MFT admin panel).
Admin user accounts should also be reviewed for suspicious activity such as unrecognized usernames, accounts created by unknown ‘systems,’ suspicious timing of account creation and disabled or non-existent super users creating accounts.
The CloudSEK advisory follows a report published by Microsoft in October last year linking Raspberry Robin Worm actors to the Clop and LockBit ransomware groups.