The Cl0p ransomware gang has exposed multiple organizations in ransomware attacks targeting a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) system.
Cl0p goes everywhere to exploit GoAnywhere.
A ransomware campaign in which the Cl0p gang has exploited Fortra’s GoAnywhere managed file transfer (MFT) tool has caused the compromise of data from a wide range of victims. Major financing firms, energy companies, and even governments worldwide have seen breaches due to the gang’s exploitation of the zero-day vulnerability.
GoAnywhere ransomware attack exposes organizations’ vulnerabilities.
Bart McDonough, CEO of cybersecurity company Agio, blogged yesterday about the attacks. The remote code execution vulnerability in the MFT software, tracked now as CVE-2023-0669, was first reported by Krebs on Security on February 2. Fixes for the vulnerability followed on the seventh, however, it had already been too late by that point, as data had been stolen.
Multiple companies victimized globally.
Many organizations have come forward revealing that they were victimized in this series of breaches. The Record reports that the government of the city of Toronto, Canada, and British conglomerate Virgin UK’s rewards club, Virgin Red, all experienced data exposure. Bleeping Computer wrote Thursday that another British organization, the United Kingdom’s Pension Protection Fund, was impacted by the zero-day. Several victims were located in Canada, with the Financial Post reporting yesterday that Canadian movie chain Cineplex Inc. said that it was hit in the attacks, and SC Magazine also confirming that major Canadian financing firm Investissement Qubec was impacted. Procter & Gamble was added to the gang’s leak site, and Saks Fifth Avenue confirmed an attack, said TechTarget. Major Japanese energy provider Hitachi Energy also confirmed a third-party security incident that cited the Fortra flaw, and reported disconnection of the software and an initiated investigation with law enforcement, Heimdal Security explained yesterday. Reuters also said yesterday that metals and mining giant Rio Tinto also saw the exposure of former and current Australian employee data. Bleeping Computer noted that thirty-nine new victims were added to the gang’s site yesterday.
A brief recount of Cl0p’s activity.
The Cl0p ransomware gang, also known as TA505 and FIN11, has been around for at least five years, and has victimized major companies in the past, such as Shell, Qualys, Flagstar, and Stanford University, among others, Vice reported. TechMonitor reported last year that the gang saw the arrest of six members in late 2021, with a resurgence in April of 2022. These breaches exploiting the GoAnywhere tool have been the latest in a series of attacks that show their high-level capabilities.
(Added, 5:45 AM, March 28th, 2023. Jon Miller, CEO & Co-founder of Halcyon, offered some perspective on the wave of Cl0p infestations. “The mass exploitation of the GoAnywhere vulnerability in this recent wave of Cl0p ransomware attacks should have companies who are using the software on high alert. Cl0p is likely leveraging automation to identify exposed organizations who have not patched against known vulnerability, which is why we are seeing so many new victims. Many organizations have been added to the Cl0p leaks website who have not reported a cyberattack, so it is likely Cl0p has already exfiltrated large amounts of confidential information from these victims, or they are in the process of exfiltrating data as a precursor to the delivery of a ransomware payload. These attacks typically involve weeks or even months of activity by attackers as they work to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems. Organizations must have the ability to disrupt attacks at initial ingress, when attackers move laterally, command and control is established, data exfiltration begins - not just when the attackers attempt to execute malicious binaries.”)
(Added, 6:30 PM, March 29th, 2023. Xage Security tweeted a useful response to coverage of the incident. "Many critical infrastructure and industrial organizations currently use GoAnywhere MFT for file transfer. Given that the vulnerability being exploited is related to remote code execution on the GoAnywhere MFT admin console, several actions should be taken immediately: First, any organization using GoAnywhere should immediately assure the admin console is not exposed to the internet. But that’s not all. Admin consoles inside “the perimeter” are not inherently secure. Remote access methods like VPNs can also be used against you, in fact many organizations enable GoAnywhere access via VPN! VPNs are themselves a common attack vector against critical infrastructure and industrial organizations. You need layered defenses against this type of Zero Day attack. Better access control & credential management is key. Fortra, the maker of GoAnywhere MFT, recommends a series of steps for auditing admin accounts and activity to limit exposure to this threat. Security researcher @briankrebs helpfully accessed and shared Fortra’s guidance:
"'BrianKrebs (@briankrebs@infosec.exchange)
"But as we know from the 2022 @vzdbir #DBIR Report, 80% of web application attacks involve stolen credentials. Attackers don’t have to suspiciously create new admin accounts when they can buy them on the dark web. A new approach to identity & access control is needed. But what? Here’s a post we published in January highlighting why VPNs and Jump Servers aren’t secure enough, especially for #CriticalInfrastructure, given the current threat landscape. The #Clop #ransomware reinforces the need for a new approach.")