Cl0p gang counts coup with GoAnywhere zero day.
N2K logoFeb 13, 2023

Fortra disclosed a zero day exploit in the GoAnywhere managed file transfer (MFT) software at the start of this month, now said to be actively exploited by Cl0p gang operators.

Cl0p gang counts coup with GoAnywhere zero day.

On the first of this month, cybersecurity firm Fortra disclosed a vulnerability in their GoAnywhere MFT software, offering indicators of compromise (IOCs), with a patch coming only a week later, Security Week reported last week. Attacks exploiting the vulnerability are said to be linked to operators of the Cl0p ransomware family, who themselves claimed credit to Bleeping Computer on Friday.

Abusing the CVE-2023-0669 vulnerability.

The GoAnywhere vulnerability “enables attackers to gain remote code execution on unpatched GoAnywhere MFT [managed file transfer] instances with their administrative console exposed to Internet access,” wrote Bleeping Computer. The release of a proof-of-concept exploit came on Monday, with the company providing emergency updates the following day. Fortra wrote on their support site Thursday that their Managed File Transfer as a Service (MFTaaS) was also impacted:

“We have determined that an unauthorized party accessed the systems via a previously unknown exploit and created unauthorized user accounts," Fortra said. "As part of our actions to address this and out of an abundance of caution, we have implemented a temporary service outage. Service continues to be restored on a customer-by-customer basis as mitigation is applied and verified within each environment. We are working directly with customers to assess their individual potential impact, apply mitigations, and restore systems."

Cl0p takes responsibility, and tactics remain consistent across attacks.

The Cl0p gang reached out to Bleeping Computer, claiming responsibility for the attacks and saying that they had “stolen the data over the course of ten days after breaching servers vulnerable to exploits targeting this bug.” Lateral movement across victimized systems and implementation of ransomware were also reportedly possible according to this spokesperson, though the gang’s good nature, of course, prevented them from doing either, stealing only documents from compromised servers. Cl0p’s observed activity exploiting a zero day Accellion FTA vulnerability in 2020 to steal the data of around 100 companies, is reminiscent of this more recent activity the gang claims impacted 130.

Criminal links, and agency responses.

Security firm Huntress linked the activity to Truebot malware, previously associated with Russian-speaking Silence, and now TA505, the Cl0p ransomware operators, Security Week recounted. The vulnerability was added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog on Friday, tagged as CVE-2023-0669.

(Added, 10:30 AM ET, February 15th, 2023. Bleeping Computer reports that Community Health Systems (CHS) says it's been the victim of a data breach compromising “the personal and health information of up to 1 million patients." The breach was one in a recent wave of attacks exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT (managed file transfer) software. The provider reports no belief that there has been impact on their systems, saying in an SEC filing that there also “has not been any material interruption of the Company's business operations, including the delivery of patient care.” The Cl0p gang, which has claimed responsibility for these attacks, is generally believed to be linked to the criminal threat actor TA505. TA505 has been observed using Cl0p ransomware in the past.)