A newly discovered zero-day vulnerability impacting Fortra’s GoAnywhere MFT managed file transfer application is currently being exploited by cybercriminals. The details of this flaw emerged when security journalist Brian Krebs shared the information on Mastodon, although Fortra has yet to issue a public advisory regarding this incident.
This vulnerability enables remote code injection but requires access to the application’s administrative console. Consequently, it is vital that organizational systems do not remain exposed to the public internet. As security expert Kevin Beaumont pointed out, there are over 1,000 instances of the software that are openly accessible online, with a significant concentration in the United States.
The advisory referenced by Krebs highlights that organizations utilizing GoAnywhere MFT should scrutinize their administrative users, particularly focusing on unfamiliar usernames that may have been created by the system itself. According to Rapid7 researcher Caitlin Condon, ongoing attacker activities likely involve the establishment of new administrative accounts to either take control of or maintain persistence within compromised systems.
Additionally, attackers may exploit weak, reused, or default credentials to gain administrative access to the console. Organizations must remain vigilant against unauthorized modifications to their user accounts, as these could be indicative of an ongoing attack.
Currently, no patch is available for this zero-day vulnerability; however, Fortra has provided recommendations to remove the “License Response Servlet” configuration from the web.xml file as a temporary workaround. The lack of robust security measures in file transfer solutions has made them attractive targets for threat actors, as evidenced by previous breaches involving Accellion and FileZen, where vulnerabilities were weaponized for data theft and extortion.
In an update from Fortra, the company has officially released a patch (version 7.1.2) to rectify the zero-day flaw in GoAnywhere MFT. Customers are urged to implement this patch promptly to mitigate risks associated with the ongoing exploitation.
In terms of the MITRE ATT&CK framework, this attack could involve various adversary tactics and techniques, including initial access through exploitation of vulnerabilities, persistence via the creation of unauthorized administrative accounts, and privilege escalation to gain heightened access rights. These tactics underline the complexity and severity of the current threat landscape affecting managed file transfer solutions.
Organizations need to prioritize security measures, ensuring they are not only aware of existing vulnerabilities but also proactively implementing steps to safeguard their applications against potential breaches. With the rise of sophisticated cyber threats, staying informed and prepared is essential for maintaining cybersecurity resilience.