Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fortra. Show all posts

New Windows Vulnerability CVE-2024-6768 Triggers Blue Screen of Death on All Versions of Windows 10 and 11

 

A recently uncovered Windows vulnerability, known as CVE-2024-6768, has raised alarm among cybersecurity experts due to its potential to cause widespread disruption by triggering the dreaded blue screen of death (BSOD) on a range of Windows operating systems. Discovered by cybersecurity researchers from Fortra, this vulnerability impacts all versions of Windows 10 and Windows 11, as well as Windows Server 2022, even if they have received the latest security patches. 

The flaw lies within the common log file system (CLFS) driver, which, when improperly validated, can result in a system crash by initiating the KeBugCheckEx function, causing the infamous BSOD. The vulnerability is significant because it can be exploited by a user with no administrative privileges. By using a specially crafted file, a malicious actor can crash the system, leading to potential data loss and disruption of services. Although the attack vector is local rather than remote, the ease with which the vulnerability can be exploited raises concerns about its potential impact. The vulnerability is graded as medium risk due to the requirement for local access, but the consequences of exploitation—especially in environments with multiple users—are severe. 

The discovery of CVE-2024-6768 dates back to December 2023, when Fortra initially reported the issue to Microsoft, providing a proof-of-concept (PoC) exploit. Despite Fortra’s efforts to demonstrate the vulnerability across various systems, including those with the latest security updates, Microsoft was unable to reproduce the flaw and therefore did not prioritize a fix. Fortra continued to provide evidence, including screenshots, videos, and memory dumps, but Microsoft remained unresponsive, ultimately closing the case in February 2024. In June 2024, frustrated by the lack of progress, Fortra announced its intention to pursue a Common Vulnerabilities and Exposures (CVE) designation and publish its findings. 

The vulnerability was officially cataloged as CVE-2024-6768 in July 2024, and Fortra planned to release its research publicly in August 2024. The report highlights the vulnerability’s potential to be exploited by low-privileged users to crash systems, which could be particularly damaging in multi-user environments or where system stability is crucial. Microsoft, for its part, has downplayed the severity of the issue, stating that the vulnerability does not meet its criteria for immediate servicing. The company noted that an attacker would need to have already gained code execution capabilities on the target machine and that the vulnerability does not grant elevated permissions. 

However, the lack of a workaround or mitigation has left many organizations concerned about the potential impact of this flaw. While the average Windows user may not be significantly affected by CVE-2024-6768, the vulnerability poses a serious risk to businesses and organizations that rely on stable and secure systems. The possibility of a low-privileged user crashing a system without warning could lead to significant operational disruptions, especially in environments where uptime is critical. For these organizations, the absence of a timely fix from Microsoft is a cause for concern, and they may need to take additional precautions to safeguard their systems. 

In conclusion, the discovery of CVE-2024-6768 underscores the ongoing challenges in maintaining the security and stability of widely used operating systems. As Microsoft considers whether to release a fix, the vulnerability serves as a reminder of the importance of proactive cybersecurity measures and the need for organizations to remain vigilant in the face of evolving threats.

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.

CLOPS Claim to Have Hacked 130 Organizations

 


It is now reported that the Clop ransomware group - known for its Linux variant recently - has used the zero-day vulnerability of the GoAnywhere MFT file transfer tool that they claim to have hacked into hundreds of organizations to boost its reputation by claiming to have stolen data from hundreds of organizations. 

Attackers can exploit a vulnerability in GoAnywhere MFT to remotely execute code by exploiting flaws without first authenticating in the GoAnywhere MFT administration console or the application itself. GoAnywhere MFT is vulnerable to a remote code execution vulnerability which occurs before authentication is completed. This vulnerability is in cases with their administrative console exposed to the Internet. 
This vulnerability has been assigned the CVE-2023-0669 number. It is estimated that the gang has committed over 50 hacks. 

 
With GoAnywhere MFT, organizations can efficiently share files with their business partners while maintaining security. The system also records who accessed the shared files and who made changes. Fortra (formerly known as HelpSystems), the company that created this tool, has also developed the popular and widespread Cobalt Strike tool, intended for penetration testers and the Red Team, focusing on operation and post-operation techniques for hackers. 

It was reported on Friday that up to 56 victims had been compromised in the last 24 hours by the Clop ransomware group. This was according to cybersecurity analyst and security researcher Dominic Alvieri. 

There are plenty of other companies and organizations in the business world on the list, including British multinational conglomerate Virgin's rewards club, Virgin Red, the city of Toronto, Rio Tinto, Rubrik, Axis Bank, Hitachi Energy, Saks Fifth Avenue, Procter & Gamble, the U.K.'s Pension Protection Fund, Pluralsight, and Munich RE. 

GoAnywhere MFT mentioned in a statement that "On March 24, the hacker group Clop announced on the darknet that sensitive Atos data was compromised. We want to reassure our clients, suppliers, and employees that this is not the case. Atos IT systems have not been affected by ransomware."

According to a report by the Clop group, the group stole data from over 130 organizations over 10 days after exploiting CVE-2023-0669 in a report.

As a result of the group gaining access to the admin console exposed to the internet, the group could remotely execute code on unpatched GoAnywhere MFT instances. 

The claim says hackers moved between networks to encrypt people's systems with ransomware payloads deployed laterally. 

However, there is a possibility that it may have only stolen documents stored on compromised GoAnywhere MFT servers.

As to hackers, the vulnerability could also be exploited to enter their victims' networks. They could also deploy extortionate payloads using the unpatched vulnerability. It is critical to note that thieves stole sensitive documents from compromised GoAnywhere MFT servers. 

There was no proof or information provided by the ransomware group about the origin of the attack, the date on which it began, or evidence of what they were doing. In addition, the company refused to disclose how much ransom it demanded and whether or not victims initiated extortion. 

As a result of the flaw in GoAnywhere MFT, its developer Fortra disclosed that the vulnerability is currently being exploited actively. 

CISA added the GoAnywhere MFT bug to its Known and Exploited Vulnerabilities Catalog on March 3, ordering federal agencies to update their systems by that date. 

As a result, it is relatively worrying that Clop has exploited an opportunistic vulnerability in GoAnywhere MFT to cause damage. To ensure system security in the future, organizations should avoid paying the ransom. They should also use backups to guarantee protection and take a layer-by-layer approach to secure systems ahead.

GoAnywhere Hack Targets UK Pension Protection Fund

 


Among the largest asset managers in the United Kingdom, the U.K. Pension Protection Fund, which manages £39 billion in assets, confirmed that the hack against GoAnywhere, the popular file-transferring service, had impacted it. 

There have been many reports in recent days that many different organizations have confirmed their data has been accessed by hackers as a result of this incident. One of these organizations is the City of Toronto, a British multinational company, as well as the University of Toronto. 

The fund, which manages pension assets for nearly 300,000 clients, announced its decision to inform employees affected by the change. To help those impacted by the breach, it offers support, monitoring, and emergency services.   

PPF said that although Fortra, the company behind GoAnywhere, initially assured them that there had not been any impact on data as a result of the February breach, this was not the case. It was also revealed that some data was potentially compromised during a subsequent investigation.   

In response to this, the pension fund stopped using the firm's services immediately, due to this incident. 

Fortran's Managed File Transfer platform is used by many companies around the world. Fortra is a software solutions provider that automates the process of sending valuable data over the Internet through automated software solutions.  

The Clop ransomware group leak site added more than three dozen victims on Thursday. In light of the GoAnywhere hack, it appears that all of them have been impacted. 

Originally, Clop was reported to have hacked into over 130 organizations using a GoAnywhere vulnerability, which is tracked under the CVE-2023-0669 designation. This has occurred in more than 130 organizations. 

At the time the incident was reported to the PPF, GoAnywhere's parent company Fortra had assured them that any impact on their data would be minimal at the time the incident was reported. 

Although, the PPF is now listed separately on the Clop site from the other victims affected by the incident. 

With the GoAnywhere breach continuing to wreak havoc across a growing number of organizations over the last few weeks, the number of organizations affected is increasing.   

More than 130 organizations across various sectors have been affected as of yet, including those in both the public and private sectors. There was a breach suffered by Rubrik earlier this month due to the incident, as revealed by the company's US-based cloud vendor.   

A mining company based in Australia, Rio Tinto, is among the companies that have been affected by the information leak discovered on Thursday. 

During the investigation, it was revealed that data related to existing and former employees was compromised, including payroll information.  

In the latest breach, the University of Melbourne seems to be the latest company to have its data compromised. An academic institution has been added to the Clop ransomware group's leak site overnight after the group claimed responsibility for the attack.   

A software vulnerability in Fortra's data transfer platform was exploited by threat actors to gain access to GoAnywhere's data. Fortra first disclosed details of the breach in early February.   

It has been revealed that over 100 organizations have been compromised as a result of the Clop ransomware attack. The number of companies that have fallen victim to this attack has steadily increased since it was first discovered in 2012.   

In recent years, Clop has gained a reputation as one of the most prolific ransomware groups, targeting dozens of organizations with its malicious software.   

Efforts to wage attacks by the Russian-linked gang are being carried out as part of ransomware as a service (RaaS) operation, which means it depends on several affiliates. 

The group has been associated with larger cyber-criminal gangs such as FIN11 and TA505, according to Louise Ferrett, threat intelligence analyst at Searchlight Cyber. This attack targets large, high-profile organizations in the public eye.   

This is not the first time Ferret said that his group has been involved in a massive hack, though he didn't deny that it has happened before.   

There are more than 100 companies that were compromised by a similar attack using Accellion's legacy File Transfer Appliance which was deployed in late 2020 and early 2021. The attack was designed to exploit a mix of zero-day vulnerabilities and a powerful web shell, she went on to explain.   

Fortra's GoAnywhere MFT secure file transfer tool was used in the operation this time to exploit CVE-2023-0669. Clop distinguishes itself from other ransomware operations because, in addition to attacking multiple organizations and announcing them publicly, it also takes a spear-phishing approach.

It has been established that Clop is an established cybercriminal group, specializing in ransomware. However, it does not appear to have been installed on any systems in any of the organizations impacted by the GoAnywhere breach.