GoAnywhere MFT Vulnerability Exploited by BlackCat Group
As cybersecurity threats continue to rise, it is crucial for businesses to ensure their systems and software are up to date with the latest patches and security protocols. However, even with the best precautions, there are still potential vulnerabilities that cybercriminals can exploit. One such vulnerability is the GoAnywhere MFT security flaw, which has recently been targeted by not just one, but two ransomware groups: Clop and BlackCat. In this article, we will discuss the latest exploit of the GoAnywhere MFT vulnerability by the BlackCat ransomware group and what businesses can do to protect themselves.
The GoAnywhere MFT is a popular and secure file transfer service used by some of the world’s biggest organizations. However, in February 2023, it was discovered that a Russian threat actor known as Clop had exploited a vulnerability in the product, now tracked as CVE-2023-0669, to infiltrate more than a hundred organizations and steal their sensitive data. Now, another threat actor, BlackCat (AKA ALPHV), has successfully leveraged the same vulnerability to target an unnamed U.S. business.
Contents
The Latest Exploitation
According to cybersecurity researchers at At-Bay, the BlackCat ransomware group targeted the U.S. business back in February 2023, using the GoAnywhere MFT vulnerability to gain access and steal sensitive data. This latest attack has raised concerns among experts, as the GoAnywhere MFT vulnerability is becoming a popular target for cybercriminals.
The Importance of Remediation
As At-Bay’s Ido Lev writes, “the vulnerability is a good example of how cybercriminals don’t just go after the most prevalent or publicly-known CVE disclosures. The most important indicator of risk isn’t just the score that’s given to the vulnerability, but how easily it can be exploited by cybercriminals in-the-wild, at scale, to achieve a desired outcome.” This means that even vulnerabilities with low scores can still be exploited by cybercriminals if they are easy to exploit.
The GoAnywhere MFT Vulnerability
The GoAnywhere MFT vulnerability exploited by both Clop and BlackCat is a zero-day remote code injection exploit, which was identified by Fortra, the company behind the product. The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).
Companies Affected
Among the compromised companies are Hitachi Bank, Hatch Energy, Saks Fifth Avenue, Procter & Gamble, and many more. These high-profile companies have suffered significant financial and reputational damage as a result of the data breaches.
Protection Against GoAnywhere MFT Exploits
To protect against GoAnywhere MFT exploits, researchers recommend that users make sure to apply the latest patch and get their software up to at least version 7.1.2. This will ensure that the vulnerability is no longer exploitable and that the system is secure.
The exploitation of the GoAnywhere MFT vulnerability by both Clop and BlackCat highlights the importance of staying up to date with the latest patches and security protocols. Cybercriminals are constantly evolving their tactics and techniques, and it is crucial for businesses to remain vigilant and proactive in protecting their systems and data.
