"Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks"

Fortra, the company developer of Cobalt Strike, is bringing further attention to the zero-day Remote Code Execution (RCE) flaw in its GoAnywhere MFT tool that ransomware actors are actively exploiting to steal sensitive data. The critical flaw, tracked as CVE-2023-0669, with a CVSS score: of 7.2, is a pre-authenticated command injection vulnerability that could be exploited for code execution. The company patched the vulnerability in version 7.1.2 of the software in February 2023, but not before it had been weaponized as a zero-day exploit since January 18. On January 30, 2023, Fortra, which collaborated with Palo Alto Networks Unit 42, was made aware of suspicious activity associated with some file transfer instances. According to the company, the unauthorized entity used the flaw to create unauthorized user accounts in certain MFTaaS customer environments. The unauthorized party leveraged user accounts for a subset of these customers to download files from their hosted MFTaaS environments. Cl0p, a Ransomware-as-a-Service (RaaS) provider, exploited the GoAnywhere vulnerability and was the most active threat actor observed, with a total of 129 victims, according to NCC Group. Cl0p's exploitation spree is the second time since September 2021 that LockBit has been dethroned from the top spot. Royal, BlackCat, Play, Black Basta, and BianLian were other prevalent ransomware strains. This article continues to discuss the zero-day RCE vulnerability in Fortra's GoAnywhere MFT tool that ransomware actors have actively exploited to steal sensitive data.

THN reports "Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks"