The Clop ransomware group is no longer the only threat actor that successfully leveraged the GoAnywhere MFT vulnerability to target an organization.
As discovered by cybersecurity researchers At-Bay, known ransomware (opens in new tab) threat actor BlackCat (AKA ALPHV) has also used the flaw to target an unnamed U.S. business back in February 2023.
“This latest exploitation of the GoAnywhere MFT vulnerability against a U.S. business by the highly-active BlackCat group raises the stakes on remediation,” At-Bay’s Ido Lev writes. “The vulnerability is a good example of how cybercriminals don’t just go after the most prevalent or publicly-known CVE disclosures. The most important indicator of risk isn’t just the score that’s given to the vulnerability, but how easily it can be exploited by cybercriminals in-the-wild, at scale, to achieve a desired outcome.”
Attacking dozens of companies
GoAnywhere MFT is a secure file transfer service, built by Fortra, and used by some of the world’s biggest organizations.
In February this year, it was discovered that a Russian threat actor known as Clop used a vulnerability in the product, now tracked as CVE-2023-0669, to infiltrate more than a hundred organizations and get away with their sensitive data.
“A zero-day remote code injection exploit was identified in GoAnywhere MFT,” Fortra said at the time. “The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”
Among the compromised companies are Hitachi Bank, Hatch Energy, Saks Fifth Avenue, Procter & Gamble, and many more.
To protect against these attacks, researchers are saying, GoAywhere MFT users should make sure to apply the latest patch and get their software up to at least version 7.1.2.