In a recent security announcement, Fortra, the parent company of Cobalt Strike, disclosed a serious zero-day remote code execution (RCE) vulnerability within its GoAnywhere MFT tool. This vulnerability is reportedly being actively exploited by ransomware groups to access sensitive data.
The vulnerability, designated as CVE-2023-0669 with a CVSS score of 7.2, centers on a pre-authenticated command injection flaw that can allow attackers to execute arbitrary code. Although Fortra addressed this issue with a patch in version 7.1.2 in February 2023, it had already been leveraged as a zero-day exploit beginning January 18.
Fortra’s investigation, conducted in collaboration with Palo Alto Networks Unit 42, revealed that suspicious activity was detected linked to certain file transfer operations as early as January 30, 2023.
The company noted that the attackers utilized CVE-2023-0669 to create unauthorized user accounts, allowing them to breach the environments of some MFTaaS customers. In certain instances, these unauthorized accounts were exploited to download files from these hosted environments, raising significant security concerns.
Furthermore, the attackers deployed two additional tools—classified as “Netcat” and “Errors.jsp”—between January 28 and January 31, although the efficacy of these deployment attempts remains uncertain.
Fortra has proactively communicated with affected customers and claims to have found no indications of unauthorized access in environments that have been reconfigured to be secure.
Netcat, a legitimate data management tool, was utilized in the attacks; however, the function of the JSP file in this context remains unclear. The investigation also determined that CVE-2023-0669 had been exploited on a select few on-premise implementations operating under specific configurations of the GoAnywhere MFT solution.
In response to the threat, Fortra recommends that users rotate their Master Encryption Key, reset all credentials, review audit logs, and eliminate any unauthorized admin or user accounts to bolster their security posture.
This incident comes in the wake of a reported increase in ransomware attacks in March, as detailed by cybersecurity firms Malwarebytes and NCC Group. The surge is largely attributed to the ongoing exploitation of the GoAnywhere MFT vulnerability, with a staggering 459 attacks recorded—reflecting a 91% rise since February.
The Cl0p ransomware group has emerged as a significant threat actor during this period, successfully exploiting the GoAnywhere vulnerability and affecting a notable number of victims, thereby overshadowing other ransomware variants such as LockBit and Royal.
Notably, Cl0p has also previously exploited zero-day vulnerabilities in other security products, highlighting the persistent challenges organizations face from sophisticated cyber threats.