Reports that Fortra’s GoAnywhere MFT file transfer software was exploited was cause for concern because threat actors could develop exploit code from a publicly released PoC, but as of Thursday afternoon it did not constitute an “active exploitation.”
In a Jan. 25 post on X, researchers at Shadowserver said based on the PoC code publicly released, they observed exploits on more than 120 IP addresses so far. However, the researchers said it’s unlikely the attackers will succeed on a widespread scale because not many admin portals were exposed — only 50 — and most are patched.
It surfaced 12 months after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability to compromise more than 130 organizations.
Fortra released a patch on Jan. 22 and recommends that security teams patch immediately. In a statement to SC Media on Thursday, Fortra said it notified customers Dec. 4 and released a patch Dec. 7.
"This vulnerability is especially dangerous because it can allow an unauthorized user to completely bypass authentication measures and create a new admin account with elevated privileges remotely,” explained Ashley Leonard, chief executive officer at Syxsense. “All of these aspects combine to make the CVE critical.“
Lack of exploitation for recent Fortra GoAnywhere MFT vulnerability keeps it off of CISA's KEV catalog for now
Leonard said to date, the flaw has not been actively exploited, which may be one of the reasons the Cybersecurity and Infrastructure Security Agency (CISA) has not added it to its Known Exploited Vulnerabilities (KEV) catalog.
Based on CISA’s guidance, PoCs, of which one was released earlier this week by Horizon3.ai, do not constitute "active exploitation.” Leonard said CISA considers it “active exploitation" when it’s demonstrated that "the intent of the actor is to succeed in exploitation and the attack occurred in "real time," or 'in the wild.'"
However, Leonard said it's important to note that ransomware groups have leveraged file transfer software as part of their tactics, techniques and procedures (TTPs) in the past. For example, Leonard said REvil was known to use GoAnywhere MFT to deploy malware across multiple organizations and to exfiltrate sensitive data.
“While REvil is no longer an active threat, their tactics still exist, and many members of that group are still lingering in cyberspace,” said Leonard. “LockBit is another cybercriminal operation that uses file transfer software. Although they haven't exploited GoAnywhere MFT in the past, they are also known to adopt exploits of new vulnerabilities quickly. With the patch publicly available, we'd encourage any organizations leveraging this software to patch immediately."
Callie Guenther, senior manager, cyber threat research at Critical Start, added that Fortra GoAnywhere MFT vulnerability is relatively easy to exploit. Guenther said researchers have described it as a “1998 style” path traversal flaw, suggesting that even attackers with moderate skills could exploit it.
Given the availability of the PoC and the ease of exploitation, Guenther anticipates that threat actors may begin scanning for vulnerable GoAnywhere MFT instances and exploiting the flaw.
As for a CISA warning, while it doesn’t appear at this stage that this flaw will make the KEV catalog, Guether pointed out that CISA has been actively involved in issuing advisories for similar vulnerabilities and has previously added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the KEV catalog.