Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label GoAnywhere MFT. Show all posts

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.

CIOp Attacks: Ransomware Group Reveal Names of the MOVEit Zero-Day Attack Victims


CIOp ransomware group has revealed names of more than two dozen organizations that are apparently attacked in their campaign via a zero-day vulnerability in the MOVEit managed file transfer (MFT) software.

The ransomware group utilized the MOVEit transfer vulnerability, CVE-2023-34362, to steal data from firms that had been using the product. Despite some evidence indicating that the hackers tested the vulnerability as early as 2021, broad exploitation appears to have begun in late May 2023.

In no time, the attacked were proved to be connected to the CIOp group, that had earlier utilized a zero-day in the GoAnywhere MFT products, stealing data of several firms. The MOVEit zero-day campaign's perpetrators have acknowledged their involvement, and they have given victims until June 14 to contact them in order to stop the release of data taken from their systems. They say they have struck hundreds of targets.

The victims of the attacks include energy giant Shell, as well as firms from various sectors like financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. A large number of victims include US-based banks and other financial institutions, followed by healthcare organizations. The hackers declared they would not target pediatric healthcare facilities after the breach was discovered.

The first known victims of the attacks included UK-based payroll and HR company Zellis (and its clients British Airways, Aer Lingus, the BBC, and the Boots), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

Following the ransomware attacks, the group has not yet leaked any data stolen from these organizations.

The number of businesses that have reported being impacted keeps expanding. In recent days, statements about the incident have been released by Johns Hopkins University and Johns Hopkins Health System, UK media authority Ofcom, and a Missouri state agency.

Moreover, in a report published on Thursday, CNN noted that a number of US federal government organizations were also impacted with the attacks, as per Eric Goldstein who is the executive director for CISA. These agencies include Department of Energy, which is now working on the issue to control the impact of the attack.

However, the ransomware gang claims that their prime motive behind these attacks is to acquire ransoms from businesses and confirms that all the state-related data they may have acquired in the attacks has been deleted.

Ransomware Attacks Surge in March 2023

According to recent reports, March 2023 saw a record-breaking number of ransomware attacks globally, with a staggering 459 incidents reported. This highlights the increasing prevalence and sophistication of cyber-attacks and the need for robust cybersecurity measures.

Ransomware attacks involve hackers encrypting a victim's data and demanding a ransom payment in exchange for the decryption key. Cybercriminals typically gain access to systems through phishing emails or exploiting vulnerabilities in software.

One such attack in March involved a zero-day vulnerability in the GoAnywhere MFT software used for secure file transfer. Cybersecurity firm Fortra completed an investigation into the incident and confirmed that the vulnerability had been exploited by attackers.

The incident emphasizes the importance of promptly identifying and patching vulnerabilities to prevent cyber attacks. With the increasing use of software and internet-connected devices, cybercriminals have more opportunities to exploit weaknesses.

Cybersecurity experts recommend implementing best practices such as regular security assessments, employee training, and security controls to minimize the risk of cyber attacks. In addition, having an incident response plan in place can help organizations quickly respond to and contain any attacks.

The prevalence of ransomware attacks underscores the importance of investing in robust cybersecurity measures to protect sensitive data and prevent business disruption. Cybersecurity threats are constantly evolving, and organizations must remain vigilant and proactive in their approach to cybersecurity to stay ahead of cybercriminals.

A recent surge in ransomware attacks and the GoAnywhere MFT incident serve as reminders of the vulnerabilities that exist in software and the need for proactive cybersecurity measures. Organizations must prioritize cybersecurity to protect themselves against these evolving threats and prevent potentially catastrophic consequences.

Tasmanian Hit by Big Data Breach Confirmed by Minister

 

The Tasmanian Department of Education, Children, and Young People experienced a cyber attack where hackers targeted and breached the third-party file transfer service GoAnywhere MFT. The breach took place last month and the state government confirmed on March 31 that its data had been accessed. Despite applying a patch to fix vulnerabilities, the government continues to use the software as part of "best practice." 

The breach lasted for four days, during which information was transferred. As a result, documents including invoices, bank statements, and personal information of individuals connected to the department were accessed by the ransomware group Cl0p. Investigations are ongoing, and there may be more affected documents. 

Tasmanian schools have been notified, and a hotline (1800 567 567) has been established for individuals to report any concerns about their data. Additionally, 16,000 Tasmanian education department documents, including personal information of school children, were released on the dark web by hackers. Science and Technology Minister Madeleine Ogilvie confirmed the breach, revealing that financial statements and invoices containing names and addresses of students and parents were accessed. 

Ms. Ogilvie expressed concern for affected students and parents, urging them to report any unusual activity on their bank statements to authorities, such as the Australian Cybersecurity Centre or the provided hotline. She acknowledged the global nature of cybercrime and expressed sympathy for those whose data was released. 

According to the data, Crown Resorts and Rio Tinto are also believed to be victims of the same cyber attack. Labor's Jen Butler called on the premier to manage the crisis, as potentially every primary school in Tasmania and anyone associated with the Department of Education may be compromised, posing a risk. 

Other organizations, including Rio Tinto, have been contacted for ransom by the same Russian hackers. Labor leader Rebecca White has requested a briefing from the government, acknowledging the seriousness of the situation and parental concerns. 

Furthermore, Ogilvie confirmed that as of now the demands for ransom have not been made by the hackers. However, the federal government advises against paying any ransom if demanded. Earlier, the state opposition urged Tasmanian Premier Jeremy Rockliff to intervene and address the escalating situation. 

The ransomware group known as "CL0P" is believed to be a Russian-language cybercriminal gang responsible for notorious "big game hunter" ransomware attacks since at least 2019. They have been associated with other cybercriminal groups such as 'FIN11' and 'UNC2546'. CL0P follows the common tactic of stealing, encrypting, and leaking data, and victims who fail to meet their ransom demands are publicly named and shamed on their leak site called "CL0P LEAKS" hosted on Tor.