"Clop Ransomware Group Exploits GoAnywhere MFT Flaw"
The ransomware gang known as Clop has been observed exploiting a pre-authentication command injection vulnerability (CVE-2023-0669) in Fortra's file transfer solution GoAnywhere MFT. The high-severity vulnerability has a CVSS:3.1 score of 7.2 and was exploited against several companies in the US and elsewhere. Security researchers at CloudSEK stated that the flaw derives from a deserialization bug that can be exploited by sending a post request to the endpoint. The researchers warned that a Metasploit module is also available to take advantage of the vulnerability. The exploit for this CVE was available a day before the patch (7.1.2) was released on February 7, 2023. The researchers stated that many vulnerable admin panels of GoAnywhere were found to be indexed on Shodan (a search engine for internet-connected devices) running on port 8000. The researchers clarified that only the GoAnywhere administrative interface was vulnerable to the exploit used by the Clop ransomware group and not the web client interface used by most people. Still, threat actors could search for web client interfaces on the internet and then try to find admin panels on the same IP. The researchers stated that Shodan search results indicate that thousands of web panels for GoAnywhere are exposed on the web. Of these thousands, around 94 of them are running on port 8000 or port 8001, where the admin panel is located. In order to obtain remote code execution, only a post request needs to be made to the vulnerable endpoint. The researchers stated that to mitigate the impact of this vulnerability, companies should update their machines to the latest GoAnywhere version as well as stop exposing port 8000 (the internet location of the GoAnywhere MFT admin panel). Admin user accounts should also be reviewed for suspicious activity such as unrecognized usernames, accounts created by unknown "systems," suspicious timing of account creation, and disabled or non-existent super users creating accounts.
Infosecurity reports: "Clop Ransomware Group Exploits GoAnywhere MFT Flaw"