It is now reported that the Clop ransomware group - known for its Linux variant recently - has used the zero-day vulnerability of the GoAnywhere MFT file transfer tool that they claim to have hacked into hundreds of organizations to boost its reputation by claiming to have stolen data from hundreds of organizations. 

Attackers can exploit a vulnerability in GoAnywhere MFT to remotely execute code by exploiting flaws without first authenticating in the GoAnywhere MFT administration console or the application itself. GoAnywhere MFT is vulnerable to a remote code execution vulnerability which occurs before authentication is completed. This vulnerability is in cases with their administrative console exposed to the Internet. 

This vulnerability has been assigned the CVE-2023-0669 number. It is estimated that the gang has committed over 50 hacks. 

 

With GoAnywhere MFT, organizations can efficiently share files with their business partners while maintaining security. The system also records who accessed the shared files and who made changes. Fortra (formerly known as HelpSystems), the company that created this tool, has also developed the popular and widespread Cobalt Strike tool, intended for penetration testers and the Red Team, focusing on operation and post-operation techniques for hackers. 

It was reported on Friday that up to 56 victims had been compromised in the last 24 hours by the Clop ransomware group. This was according to cybersecurity analyst and security researcher Dominic Alvieri. 

There are plenty of other companies and organizations in the business world on the list, including British multinational conglomerate Virgin's rewards club, Virgin Red, the city of Toronto, Rio Tinto, Rubrik, Axis Bank, Hitachi Energy, Saks Fifth Avenue, Procter & Gamble, the U.K.'s Pension Protection Fund, Pluralsight, and Munich RE. 

GoAnywhere MFT mentioned in a statement that "On March 24, the hacker group Clop announced on the darknet that sensitive Atos data was compromised. We want to reassure our clients, suppliers, and employees that this is not the case. Atos IT systems have not been affected by ransomware."

According to a report by the Clop group, the group stole data from over 130 organizations over 10 days after exploiting CVE-2023-0669 in a report.

As a result of the group gaining access to the admin console exposed to the internet, the group could remotely execute code on unpatched GoAnywhere MFT instances. 

The claim says hackers moved between networks to encrypt people's systems with ransomware payloads deployed laterally. 

However, there is a possibility that it may have only stolen documents stored on compromised GoAnywhere MFT servers.

As to hackers, the vulnerability could also be exploited to enter their victims' networks. They could also deploy extortionate payloads using the unpatched vulnerability. It is critical to note that thieves stole sensitive documents from compromised GoAnywhere MFT servers. 

There was no proof or information provided by the ransomware group about the origin of the attack, the date on which it began, or evidence of what they were doing. In addition, the company refused to disclose how much ransom it demanded and whether or not victims initiated extortion. 

As a result of the flaw in GoAnywhere MFT, its developer Fortra disclosed that the vulnerability is currently being exploited actively. 

CISA added the GoAnywhere MFT bug to its Known and Exploited Vulnerabilities Catalog on March 3, ordering federal agencies to update their systems by that date. 

As a result, it is relatively worrying that Clop has exploited an opportunistic vulnerability in GoAnywhere MFT to cause damage. To ensure system security in the future, organizations should avoid paying the ransom. They should also use backups to guarantee protection and take a layer-by-layer approach to secure systems ahead.