Fortra, the company behind Cobalt Strike, has disclosed a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool. This vulnerability is actively exploited by ransomware actors to steal sensitive data.
A high-severity flaw tracked as CVE-2023-0669 (CVSS score: 7.2) concerns a case of pre-authenticated command injection that can be exploited to achieve code execution. This issue was patched by the company in version 7.1.2 of the software in February 2023, but not before it was weaponized as a zero-day after January 18th.
Fortra, which worked with Palo Alto Networks Unit 42, said it became aware of suspicious activity related to some file transfer instances on January 30, 2023.
“Unauthorized parties used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments,” the company said. “For some of these customers, an unauthorized party utilized these user accounts to download files from the hosted MFTaaS environment.”
The attackers further exploited this vulnerability by deploying two additional tools called ‘Netcat’ and ‘Errors.jsp’ between January 28, 2023 and January 31, 2023, but all installation attempt was not successful.
Fortra said it contacted affected customers directly and found no signs of unauthorized access to customer systems that had been reprovisioned into a “clean and secure MFTaaS environment.”
Netcat is a legitimate program for managing the reading and writing of data over the network, but it is currently unknown how the JSP files were used in the attack.
The research also found that CVE-2023-0669 was exploited against a small number of on-premises implementations running specific configurations of the GoAnywhere MFT solution.
As a mitigation, the company recommends that users rotate master encryption keys, reset all credentials, review audit logs, and remove suspicious administrator or user accounts.
The development began when Malwarebytes and NCC Group reported a spike in ransomware attacks in March. This is primarily due to active exploitation of the GoAnywhere MFT vulnerability.
A total of 459 attacks were recorded in the last month alone, a 91% increase from February 2023 and a 62% increase compared to March 2022.
Defending with Deception: Driving Zero Trust Security
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Save my seat!
“Cl0p, a ransomware-as-a-service (RaaS) provider, was the most active attacker observed, successfully exploiting the GoAnywhere vulnerability, resulting in a total of 129 victims,” said the NCC. the group said.
Cl0p’s exploit marks LockBit’s second stint at the top spot since September 2021. Other prevalent ransomware included Royal, BlackCat, Play, Black Basta, and BianLian.
It is worth noting that Cl0p actors have previously exploited a zero-day vulnerability in Accellion File Transfer Appliance (FTA) to compromise multiple targets in 2021.
