In February 2023, a significant security vulnerability in Fortra’s GoAnywhere MFT file transfer solution was discovered by security researchers. This vulnerability has subsequently been exploited by attackers to target numerous large organizations.
Ransomware group Cl0p has claimed responsibility for breaching over 130 organizations, including well-known companies such as Rubrik, Proctor and Gamble, and Hitachi Energy. Surprisingly, Cl0p has chosen to pursue a pure extortion model instead of deploying lockers or utilizing double extortion tactics. The specific ransom demands made after stealing the victims’ data remain unknown.
Although the vulnerability was patched shortly after its disclosure, it is a well-known fact that organizations often fail to implement patches promptly for various reasons. As a result, the scale of attacks using this vulnerability may increase in the near future.
Here is a timeline of events related to the GoAnywhere data breach:
- On February 1st, 2023, Fortra initially disclosed the vulnerability to its own users through a login screen, keeping the information restricted from the wider public.
- External reports gradually disseminated information about the issue, with security expert Brian Krebs being the first to bring it to light by sharing Fortra’s advisory on a Mastodon instance.
- Exploit code based on the advisory’s details was developed and circulated a day prior to Fortra issuing a patch for the vulnerability on February 7th. CloudSEK researchers noted that thousands of GoAnywhere admin panels were vulnerable, as indicated by a Shodan scan indexing them on port 8000.
The exploited vulnerability, known as CVE-2023-0669, is a remote code execution (RCE) flaw in GoAnywhere MFT. RCE flaws are considered highly severe and damaging, as they enable attackers to run code, execute malware, and steal data without physical access to the targeted systems.
To exploit this vulnerability, attackers send a post request to the endpoint at ‘/goanywhere/lic/accept’, taking advantage of a deserialization bug. There is even a module available in the Metasploit hacking tool that simplifies the exploitation process.
Fortra clarified that the vulnerability can only be exploited through a compromised admin console, with the web client interface itself being unaffected. Typically, access to the admin console requires being within the company’s network, via a virtual private network (VPN), or through specific IP addresses. Fortra advised customers to contact their customer service team if they suspect their consoles were exposed to the public internet.
In addition to patching the vulnerability, Fortra recommended GoAnywhere customers to audit all admin users and check for unrecognized usernames. This suggestion from Rapid7 indicates that Fortra may have noticed follow-on activity from real-world exploits, wherein attackers created new admin users to maintain persistence on compromised machines.
Several organizations have confirmed being affected by the GoAnywhere data breach:
- Rubrik, a cybersecurity firm, revealed that it had fallen victim to the breach. Cl0p published a significant amount of Rubrik’s data on their dark web blog, including business names, contact information, and purchase orders.
- Hitachi Energy, a multinational energy company employing 40,000 people across 90 countries, acknowledged being one of the 130 victims. According to their public advisory, unauthorized access to employee data in certain countries may have occurred.
- Crown Resorts, Australia’s largest gambling company, confirmed that a small number of files, such as employee attendance records and some membership numbers, were stolen.
- The Pension Protection Fund (PPF) in the UK also had employee data stolen, although no pension details were compromised. The PPF expressed dissatisfaction with Fortra initially misleading them about the nature of the incident, resulting in the immediate cessation of their services.
Other notable victims include Proctor and Gamble, the City of Toronto, Virgin Red, Axis Bank, the Tasmanian government, Saks Fith Avenue, Hatch Bank, and Investissement Québec.
The Cl0p ransomware group, which operates as a ransomware-as-a-service (RaaS) organization, is responsible for the attacks. Secureworks Counter Threat Unit (CTU) attributes these attacks to a group known as Gold Tahoe, also tracked as TA505 and Dudear by other security firms. Gold Tahoe has been deploying Cl0p ransomware since 2019 and has established itself as both an RaaS operator and a malware distributor.
Additional information suggests that Gold Tahoe was behind the exploitation of vulnerabilities in Accellion FTA in 2021, impacting major organizations like Morgan Stanley.
The recent leak of data from 91 victims on Cl0p’s dedicated leak site accounted for over 65% of the total victims claimed by the ransomware group between August 2020 and February 2023, according to Secureworks CTU.
It is challenging to ascertain the precise attribution of ransomware organizations. However, there are indications that Cl0p is most likely based in Russia, a country with a history of tacitly supporting cybercriminals through state-condoned and state-ignored attacks, as suggested by Cybereason.