GoAnywhere MFT Zero Day Disclosures Seem Slow

March 6, 2023 TH Author headline,hacker,data loss,flaw,zero day

Expect a slow drip, drip, drip of disclosures now that two organizations have reported that they have experienced cybersecurity incidents caused by a zero-day vulnerability (CVE-2023-0699) in Fortra’s GoAnywhere MFT secure file sharing software.

The latest case was March 2, when fintech Hatch Bank reported that threat actors stole the personal data of nearly 140,000 customers from the GoAnywhere platform.

In mid-February, an SEC filing disclosed that 1 million patients tied to Community Health Systems in Tennessee were among 130 organizations compromised by the Clop ransomware group.

More disclosures are expected in the coming weeks.

“As some of these companies get closer to their reporting deadlines, you’ll see more disclosures from the 130 companies Clop supposedly broke into, whether they are through SEC filings or simply filing when they need to,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “You may also see Clop making annoucements that they have made some other breaches.”

Avishai Avivi, chief information security officer at SafeBreach, added that this is not the first time the Clop ransomware group has targeted file transfer applications. Avivi said Clop took the same approach two years ago when they targeted the Accellion file transfer applications. Avivi said it appears that they aim to copy sensitive data as a file transfer gets processed.

“It’s a nightmare for any software vendor to discover a zero-day vulnerability being exploited in the wild,” Avivi said. “This nightmare gets compounded when the software is a security-oriented tool. In reading through the details of the vulnerability, my concern is that it’s one of the OWASP top 10 vulnerabilities. As such, I do not expect GoAnywhere, a security vendor, to have such vulnerabilities.”

Avivi added that this zero-day exploit also needs an exposed administrative console to work. It’s an interesting case, because under the legislation proposed yesterday in President Joe Biden’s national cybersecurity strategy, Avivi said Fortra would not be able to limit its liability.

“The vulnerability is listed in the OWASP top 10 and should have been caught by a secure software development process,” Avivi said. “I would recommend that, rather than focusing on specific vulnerabilities, security teams should enable MFA wherever possible, but especially for privileged accounts; disable or limit any open administrative console access by any means possible; and monitor security controls for any anomalous user behavior, especially administrative accounts.”

The vulnerability in Fortra’s GoAnywhere file transfer software first came to light on Feb. 2 after security journalist Brian Krebs posted details of Fortra’s security advisory because the tech company had put the advisory behind a login prompt.

Vulcan Cyber’s Parkin advises any company using the Fortra GoAnywhere software to patch right away and be sure not to expose the admin console to the public internet.