Clop Ransomware Group Exploits GoAnywhere MFT Flaw

The ransomware gang known as Clop has been observed exploiting a pre-authentication command injection vulnerability (CVE-2023-0669) in Fortra’s file transfer solution GoAnywhere MFT.

The high-level vulnerability has a CVSS:3.1 score of 7.2 and was exploited against several companies in the US and elsewhere, according to a new advisory by security experts at CloudSEK.

The flaw derives from a deserialization bug that can be exploited by sending a post request to the endpoint. CloudSEK warned that a Metasploit module is also available to take advantage of the vulnerability.

“The exploit for this CVE was available a day before the patch (7.1.2) was released on February 7 2023. Many vulnerable admin panels of GoAnywhere were found to be indexed on Shodan [a search engine for Internet-connected devices] running on port 8000,” reads the technical write-up.

The company clarified that only the GoAnywhere administrative interface was vulnerable to the exploit used by the Clop ransomware group and not the web client interface used by most people.

Read more on Clop here: Members of Clop Ransomware Gang Arrested in Ukraine

Still, threat actors could search for web client interfaces on the internet and then try to find admin panels on the same IP.

“Shodan search results indicate that thousands of web panels for GoAnywhere are exposed on the web,” CloudSEK wrote. “Of these thousands, around 94 of them are running on port 8000 or port 8001 where the admin panel […] is located. In order to obtain remote code execution, only a post request needs to be made to the vulnerable endpoint.”

To mitigate the impact of this vulnerability, CloudSEK advised system defenders to update their machines to the latest GoAnywhere version as well as stop exposing port 8000 (the internet location of the GoAnywhere MFT admin panel).  

Admin user accounts should also be reviewed for suspicious activity such as unrecognized usernames, accounts created by unknown ‘systems,’ suspicious timing of account creation and disabled or non-existent super users creating accounts.

The CloudSEK advisory follows a report published by Microsoft in October last year linking Raspberry Robin Worm actors to the Clop and LockBit ransomware groups.

Leave a Reply

Your email address will not be published. Required fields are marked *