Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fortra. Show all posts
vulnerability patch
active exploitation CISA advisory Cyber Security file transfer security Fortra GoAnywhere MFT software exploitation Threat actors vulnerability patch

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.
Read more »
Vulnerabilities and Exploits
Clop Ransomware Data Theft Fortra GoAnywhere MFT Ransomware Vulnerabilities and Exploits

CLOPS Claim to Have Hacked 130 Organizations

 


It is now reported that the Clop ransomware group - known for its Linux variant recently - has used the zero-day vulnerability of the GoAnywhere MFT file transfer tool that they claim to have hacked into hundreds of organizations to boost its reputation by claiming to have stolen data from hundreds of organizations. 

Attackers can exploit a vulnerability in GoAnywhere MFT to remotely execute code by exploiting flaws without first authenticating in the GoAnywhere MFT administration console or the application itself. GoAnywhere MFT is vulnerable to a remote code execution vulnerability which occurs before authentication is completed. This vulnerability is in cases with their administrative console exposed to the Internet. 
This vulnerability has been assigned the CVE-2023-0669 number. It is estimated that the gang has committed over 50 hacks. 

 
With GoAnywhere MFT, organizations can efficiently share files with their business partners while maintaining security. The system also records who accessed the shared files and who made changes. Fortra (formerly known as HelpSystems), the company that created this tool, has also developed the popular and widespread Cobalt Strike tool, intended for penetration testers and the Red Team, focusing on operation and post-operation techniques for hackers. 

It was reported on Friday that up to 56 victims had been compromised in the last 24 hours by the Clop ransomware group. This was according to cybersecurity analyst and security researcher Dominic Alvieri. 

There are plenty of other companies and organizations in the business world on the list, including British multinational conglomerate Virgin's rewards club, Virgin Red, the city of Toronto, Rio Tinto, Rubrik, Axis Bank, Hitachi Energy, Saks Fifth Avenue, Procter & Gamble, the U.K.'s Pension Protection Fund, Pluralsight, and Munich RE. 

GoAnywhere MFT mentioned in a statement that "On March 24, the hacker group Clop announced on the darknet that sensitive Atos data was compromised. We want to reassure our clients, suppliers, and employees that this is not the case. Atos IT systems have not been affected by ransomware."

According to a report by the Clop group, the group stole data from over 130 organizations over 10 days after exploiting CVE-2023-0669 in a report.

As a result of the group gaining access to the admin console exposed to the internet, the group could remotely execute code on unpatched GoAnywhere MFT instances. 

The claim says hackers moved between networks to encrypt people's systems with ransomware payloads deployed laterally. 

However, there is a possibility that it may have only stolen documents stored on compromised GoAnywhere MFT servers.

As to hackers, the vulnerability could also be exploited to enter their victims' networks. They could also deploy extortionate payloads using the unpatched vulnerability. It is critical to note that thieves stole sensitive documents from compromised GoAnywhere MFT servers. 

There was no proof or information provided by the ransomware group about the origin of the attack, the date on which it began, or evidence of what they were doing. In addition, the company refused to disclose how much ransom it demanded and whether or not victims initiated extortion. 

As a result of the flaw in GoAnywhere MFT, its developer Fortra disclosed that the vulnerability is currently being exploited actively. 

CISA added the GoAnywhere MFT bug to its Known and Exploited Vulnerabilities Catalog on March 3, ordering federal agencies to update their systems by that date. 

As a result, it is relatively worrying that Clop has exploited an opportunistic vulnerability in GoAnywhere MFT to cause damage. To ensure system security in the future, organizations should avoid paying the ransom. They should also use backups to guarantee protection and take a layer-by-layer approach to secure systems ahead.
Read more »
U.K Pension Protection Fund
Cyber Attacks Fortra GoAnywhere Hack Pensions Ransomware U.K Pension Protection Fund

GoAnywhere Hack Targets UK Pension Protection Fund

 


Among the largest asset managers in the United Kingdom, the U.K. Pension Protection Fund, which manages £39 billion in assets, confirmed that the hack against GoAnywhere, the popular file-transferring service, had impacted it. 

There have been many reports in recent days that many different organizations have confirmed their data has been accessed by hackers as a result of this incident. One of these organizations is the City of Toronto, a British multinational company, as well as the University of Toronto. 

The fund, which manages pension assets for nearly 300,000 clients, announced its decision to inform employees affected by the change. To help those impacted by the breach, it offers support, monitoring, and emergency services.   

PPF said that although Fortra, the company behind GoAnywhere, initially assured them that there had not been any impact on data as a result of the February breach, this was not the case. It was also revealed that some data was potentially compromised during a subsequent investigation.   

In response to this, the pension fund stopped using the firm's services immediately, due to this incident. 

Fortran's Managed File Transfer platform is used by many companies around the world. Fortra is a software solutions provider that automates the process of sending valuable data over the Internet through automated software solutions.  

The Clop ransomware group leak site added more than three dozen victims on Thursday. In light of the GoAnywhere hack, it appears that all of them have been impacted. 

Originally, Clop was reported to have hacked into over 130 organizations using a GoAnywhere vulnerability, which is tracked under the CVE-2023-0669 designation. This has occurred in more than 130 organizations. 

At the time the incident was reported to the PPF, GoAnywhere's parent company Fortra had assured them that any impact on their data would be minimal at the time the incident was reported. 

Although, the PPF is now listed separately on the Clop site from the other victims affected by the incident. 

With the GoAnywhere breach continuing to wreak havoc across a growing number of organizations over the last few weeks, the number of organizations affected is increasing.   

More than 130 organizations across various sectors have been affected as of yet, including those in both the public and private sectors. There was a breach suffered by Rubrik earlier this month due to the incident, as revealed by the company's US-based cloud vendor.   

A mining company based in Australia, Rio Tinto, is among the companies that have been affected by the information leak discovered on Thursday. 

During the investigation, it was revealed that data related to existing and former employees was compromised, including payroll information.  

In the latest breach, the University of Melbourne seems to be the latest company to have its data compromised. An academic institution has been added to the Clop ransomware group's leak site overnight after the group claimed responsibility for the attack.   

A software vulnerability in Fortra's data transfer platform was exploited by threat actors to gain access to GoAnywhere's data. Fortra first disclosed details of the breach in early February.   

It has been revealed that over 100 organizations have been compromised as a result of the Clop ransomware attack. The number of companies that have fallen victim to this attack has steadily increased since it was first discovered in 2012.   

In recent years, Clop has gained a reputation as one of the most prolific ransomware groups, targeting dozens of organizations with its malicious software.   

Efforts to wage attacks by the Russian-linked gang are being carried out as part of ransomware as a service (RaaS) operation, which means it depends on several affiliates. 

The group has been associated with larger cyber-criminal gangs such as FIN11 and TA505, according to Louise Ferrett, threat intelligence analyst at Searchlight Cyber. This attack targets large, high-profile organizations in the public eye.   

This is not the first time Ferret said that his group has been involved in a massive hack, though he didn't deny that it has happened before.   

There are more than 100 companies that were compromised by a similar attack using Accellion's legacy File Transfer Appliance which was deployed in late 2020 and early 2021. The attack was designed to exploit a mix of zero-day vulnerabilities and a powerful web shell, she went on to explain.   

Fortra's GoAnywhere MFT secure file transfer tool was used in the operation this time to exploit CVE-2023-0669. Clop distinguishes itself from other ransomware operations because, in addition to attacking multiple organizations and announcing them publicly, it also takes a spear-phishing approach.

It has been established that Clop is an established cybercriminal group, specializing in ransomware. However, it does not appear to have been installed on any systems in any of the organizations impacted by the GoAnywhere breach.
Read more »
Subscribe to: Posts (Atom)