The Clop ransomware group is no longer the only actor that has successfully taken advantage of the GoAnywhere MFT vulnerability to target an enterprise.
As discovered by At-Bay cybersecurity researchers, known ransomware threat actor BlackCat (AKA ALPHV) also used the flaw to target an unnamed US company in February 2023.
“This latest exploitation of the GoAnywhere MFT vulnerability against a US company by the hyperactive BlackCat group raises the stakes for a fix,” wrote Edu Lev of At-Bay. “The vulnerability is a good example of how cybercriminals not only go after the most widely reported or publicly known disclosures of countering violent extremism. The most important indicator of risk is not just the degree to which a vulnerability is given, but how easily it can be exploited by cybercriminals in the wild and on a large scale to achieve the desired result.”
Attack dozens of companies
GoAnywhere MFT is a secure file transfer service, created by Fortra, and used by some of the largest organizations in the world.
In February of this year, it was discovered that a Russian threat actor known as Clop used a vulnerability in the product, now tracked as CVE-2023-0669, to infiltrate more than a hundred organizations and get away with their sensitive data.
> Clop ransomware may have infected more victims than previously thought
> Saks Fifth Avenue has become the latest victim of the Clop ransomware
> Check out the best malware removal services now
“A zero-day remote code injection vulnerability was identified in the GoAnywhere MFT,” Furtra said at the time. The attack vector for this exploit requires access to the application’s administrative console, which in most cases can only be accessed from within a private corporate network, via VPN, or via allowed IP addresses (when running in cloud environments, such as Azure or AWS).
Among the companies committed are Hitachi Bank, Hatch Energy, Saks Fifth Avenue, Procter & Gamble, and many others.
To protect against these attacks, the researchers say, GoAywhere MFT users should ensure they apply the latest patch and get their software up to at least version 7.1.2.
- These are the best firewalls right now