8 GoAnywhere MFT breaches and counting.

Dave Bittner: Hello everyone and welcome to the CyberWire's Research Saturday. I am Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks of joining us.

Himaja Motheram: I a person who martyrs Twitter quite a bit and I started to see noise from Brian Krebs on Mastodon talking about this new zero-day vulnerability and a file transfer application called GoAnywhere MFT, and I never heard of that before.

Dave Bittner: Our guests this week are Emily Austin and Himaja Motheram from security company Censys. They're sharing their research months after months after first GoAnyw:here MFT zero-day attacks, Censys still sees approximately 180 public admin panels.

Himaja Motheram: It is advertised as this kind of enterprise file transfer application.

Dave Bittner: That's Himaja Matheram.

Himaja Motheram: And when we did a little bit of digging into how the service is documented, it seems that it's really intended for sensitive data. It's compliant with a lot of different data production, guidelines and standards, and the types of organizations that we see impacted by breaches are, you know, big enterprise organizations like health care institutions, financial institutions, governments even, so a pretty hefty product.

Dave Bittner: So, let's dig into the timeline here. Where did this begin and, again, how did you all decide to head down this path of research?

Himaja Motheram: I think this really started getting traction in early February when the zero-day was disclosed. The actual security advisory was hidden behind like a customer portal login, and so most of the talk about it came from Twitter, but what really made the story start to jump in discussion was around mid-February the ransomware gang, Clop which has, you know, Russian ties, claimed that it had breached 130 organizations using this exploit, and so, that rang some bells. And at first, that claim couldn't really be corroborated by any sources, but as time went on, on the organization's data leak site, it appears that their claim might have some truth to it. And so far, you know, maybe two days ago, there are over 20 organizations that have publically come forward as being having like been affected by this exploit.

Dave Bittner: Can we talk about the vulnerability itself? What is the specific issue here?

Himaja Motheram: So, it appears to be a remote code execution vulnerability I the Admin panel interface of the GoAnywhere MFT application. So, web client interfaces are not affected, but there is an RCE exploit in the licensing server of Admin panel interfaces. And Admin panels are, in this case, I would consider them, you know, critical infrastructure and they offer an interface into, you know, this very sensitive data and so really have no business being exposed to the public Internet, but we see a lot of them are exposed to the public Internet, you know, be it through misconfigurations or maybe some of these were intentionally exposed for some reason or another, but a lot of instances of these Admin panels are accessible to this RCE exploit, because they're public facing and would be, honestly, pretty trivial for even an amateur or actor to discover.

Dave Bittner: And so, what has Fortress' response been here as this was brought to their attention?

Himaja Motheram: Yeah, so their response has been a little bit criticized, because, again like I said, they hid their security advisor behind a login wall at the beginning. A little bit after that, they did release a patch in Version 712 and offered some other mitigation suggestions for customers, but over the course of the past 3 months, they have misled some customers into believing their data was safe when it wasn't, and only recently maybe in like April they published an investigation 2 months after the disclosure, but the response that we're seeing from, you know, the affected organizations is that they didn't quite feel like they were being well-informed about how their instances were affected by this vulnerability.

Dave Bittner: And your own research here looks into how many organizations are still exposed here, right?

Himaja Motheram: Yes.

Dave Bittner: Can you lay that out for us? What did you find?

Himaja Motheram: Yeah, so at the beginning, you know, early February, we saw a lot of Admin panels online. We saw around like 300 and almost 330 of these Admin panels that were publically exposed and showed indications of running versions that were vulnerable, versions earlier than 712. Right after that security advisory and some of the discussion on Twitter started peeking on February 2nd, we saw that number drop dramatically from, you know, around 332 maybe like 250. And since then we've kind of seen this very slow, steady decrease in that number of exposed hosts that look like they're running vulnerable versions. And as of, you know, 2 days ago on May 15th, we see 50. And so that's encouraging that it's dropped so much from when the original zero-day was disclosed, but 50 Admin panels online, that--those could be the portal to a wealth of sensitive data that can affect millions of people. So, we're still concerned about how this patching rate is starting to kind of plateau over the past couple weeks.

Dave Bittner: Emily, I'm interested in your insights here as well. What is your take on the information you've gathered here?

Emily Austin: Yeah, so one thing I'd like to point out, you know, we're talking about this vulnerability.

Dave Bittner: That's Emily Austin.

Emily Austin: In context, you know, several other researchers have published really excellent reviews and kind of deep dives into the remote Codec execution exploit itself. And so, where I think we really have a lot to offer, and as Himagja has kind of walked through, is being able to look at this vulnerability and others that have some kind of, you know, public Internet facing artifact available, you know, a login page, a ransom note on a public facing service. We can see those things and we can kind of zoom out a little bit and take a more macro look at the state of the vulnerability as it might be across the Internet. You know, what are the potential ramifications of this vulnerability if it were exploited to the maximum potential, right? You know, how many devices do we see that could potentially fall victim to it. And so, that's been really interesting to track here and see over time, you know, how we've been able to see this go from, you know, this dramatic decrease initially and just kind of tapering off slowing and we're kind of still seeing these still hanging around. So, it's been interesting to see that. And it also kind of ties back to this whole idea, you know, of security hygiene. I know that's something that we talk about a lot and it's something that, you know, it's not exciting necessarily, but ask that management, understanding the devices that are within your organization's purview, like that's really important. And understanding, you know, I think the GoAnywhere, their initial advisory said, you know, "Most of these instances should be behind a VPN or a firewall of some kind," but there's also this implication that some of them aren't and they're aware of that. And, you know, we see evidence of that in our data. And so, I think being aware of those things as an administrator, these tools is really important. But yeah, so I think what's really cool about what we've been able to do here is looking at this vulnerability kind of on a global scale and saying, "Okay, well what are the potential ramifications of this? " You know, "how many organizations do we see that potentially could still be affected by it?"

Dave Bittner: And when you look at that, what do you see? What are the conclusions have you all come to?

Emily Austin: Yeah, I mean like I said, I think really the big thing is we're seeing the organizations just aren't necessarily prioritizing asset management, patch management, and vulnerability management. You know, we talk a ton about new exploits and things that get released, but really and this is kind of a perfect storm right? So, you have this zero-day in a device who are in a service rather, whose Admin pages often times are exposed to the Internet unprotected. So, it's kind of this like perfect mix of you do have the zero-day and you have something improperly exposed to the Internet, that just makes it really trivial as Himaja just said to exploit and, you know, cause havoc, steal data, and do what you will.

Dave Bittner: You know, Himaja I'm curious, so certainly not all patches are created equal and everybody's situation is different of the infrastructure that they're running. Is there anything particularly burdensome in this update that you see that would cause people to lag behind or delay making the updates?

Himaja Motheram: That's a great question and I don't know the particular intricacies of the patch that might relate to that, but my hypothesis is honestly that we're seeing this patch rate plateau mostly because a lot of these assets are probably exposed unintentionally is my guess, and that some of them might even be, you know, old or legacy infrastructure that has just been kind of abandoned or maybe their service owners are not quite clear in the organization and they're kind of these endpoints that are just left without any tending, because applying the patch is like Emily said, a part of basic security hygiene and its pretty--a pretty simple process when you know what to apply it to. So, I'm thinking that these assets are kind of those unknown-unknowns in an organization potentially and that's why these basic security hygiene practices aren't being fulfilled.

Dave Bittner: Emily, based on the information that you all have gathered here, what are your recommendations?

Emily Austin: I think you could probably guess, they're not going to be exciting. They're going to be beyond like GoAnywhere specifically, right? Like get it off.

Dave Bittner: Yeah.

Emily Austin: The Internet if it's on the Internet, if it's exposed to the Internet. The Admin panel specifically. Patch it to Version 7.1.2. That's GoAnywhere specifically, but just more broadly speaking, you know again, understanding what assets are within your organization's control, like the things that you do own, getting a handle on that. It's not an easy process, but it's really, really important. So, because you can't--you can't manage vulnerabilities or patches if you don't know all of the things that you need to patch or manage, right? So, I think those are really critical pieces of a security program. There's critical pieces of, you know, strong security posture. And so, just being aware of those things that are, those like kind of back office applications, things that you know, are you know essential to business function as a tool like this is, "Oh I need to transfer data between organizations or within an organization." Yeah, so I think figuring out if you own any of these devices, understanding where they are in you network and understanding that something needs to be done about them. They do need to be kept off the public Internet, right. I think that's a huge piece here, and so all of those things come together to kind of help you create a stronger security posture for your organization.

Dave Bittner: Our thanks to Himaja Motheram and Emily Austin from Censys for joining us. The research is titled, "Months after first GoAnywhere MFT zero-day attacks." Censys still sees approximately 180 public Admin panels. We'll have a link in the Show Notes.

The CyberWire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where their co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer, Jennifer Eiben. Our mixer is Elliott Peltzman, our Executive Editor is Peter Kilpe, and I'm Dave Bittner. That's for listening.