Clop Operators Claim to Hack 130 Organizations Using GoAnywhere MFT Bug

Clop and GoAnywhere MFT

Clop ransomware operators claim to be behind recent attacks on a 0-day vulnerability in the GoAnywhere MFT secure file transfer tool.

Hackers claim that thanks to this bug they stole the data of 130 organizations.

We also reported that Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network.

As a reminder, GoAnywhere MFT is a file transfer tool designed to help organizations securely share files with partners and maintain audit trails of whose who has accessed shared files. Behind its creation is Fortra (formerly known as HelpSystems), which also develops the well-known and widely used Cobalt Strike tool, aimed at pentesters and the red team, and focused on operation and post-operation.

In early February, it became known that Fortra developers discovered an RCE exploit and attacks on the GoAnywhere MFT, after which they were forced to temporarily disable their SaaS service.

At the same time, it was emphasized that the exploitation of the vulnerability requires access to the administrative console, which under normal conditions should not be accessible via the Internet at all. However, Shodan detects about 1000 available GoAnywhere instances on the Internet (although only about 140 installations were seen on ports 8000 and 8001, which are the defaults used by the affected admin console).

Clop and GoAnywhere MFT

On February 7, 2023, Fortra released an emergency patch for this 0-day vulnerability (7.1.2) and urged all customers to install it as soon as possible.

As reported now, the vulnerability eventually received the identifier CVE-2023-0669 and indeed allows attackers to remotely execute arbitrary code in the GoAnywhere MFT if the administrative console is open for access via the Internet.

Bleeping Computer journalists write that Clop ransomware operators told them that they successfully exploited this bug to hack many different companies.

The hackers also stated that they could use the vulnerability to move through the networks of their victims and deploy extortionate payloads, but decided not to do this and limited themselves to stealing documents stored on compromised GoAnywhere MFT servers.

The publication was unable to confirm or deny the claims of the hackers, and Fortra representatives did not respond to letters asking for additional information about the attacks on CVE-2023-0669.

However, it is noted that Huntress Threat Intelligence expert Joe Slowik was able to link the attacks on the GoAnywhere MFT with the TA505 group, which was previously known for deploying the Clop ransomware in the networks of its victims.

The media also wrote that PoC Exploit for PlayStation 5 Appeared, but It Works Only in 30% of Cases.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *