Security News > 2023 > February > Clop ransomware claims to be behind GoAnywhere zero-day attacks
The Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.
The gang refused to share additional details regarding their claims when BleepingComputer asked them when the attacks began, if they'd already started extorting their victims, and what ransoms they were asking for.
CISA also added the CVE-2023-0669 GoAnywhere MFT vulnerability to its ?Known Exploited Vulnerabilities Catalog on Friday, ordering federal agencies to patch their systems within the next three weeks, until March 3rd. While Shodan shows that over 1,000 GoAnywhere instances are exposed online, only 135 are on ports 8000 and 8001.
Clop's alleged use of the GoAnywhere MFT zero-day to steal data is a very similar tactic to the one they used in December 2020, when they discovered and exploited an Accellion FTA zero-day vulnerability to steal the data of approximately 100 companies.
In June 2021, some of Clop's infrastructure was shut down following an international law enforcement operation codenamed Operation Cyclone when six money launderers who provided services to the Clop ransomware gang were arrested in Ukraine.
The gang has also been linked to ransomware attacks worldwide since at least 2019.
News URL
Related news
- Play ransomware exploited Windows logging flaw in zero-day attacks (source)
- Kidney dialysis firm DaVita hit by weekend ransomware attack (source)
- Apple fixes two zero-days exploited in targeted iPhone attacks (source)
- Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) (source)
- Ahold Delhaize confirms data theft after INC ransomware claims attack (source)
- Apple Patches Two Zero-Days Used in ‘Extremely Sophisticated’ Attacks (source)
- Interlock ransomware gang pushes fake IT tools in ClickFix attacks (source)
- Phishing detection is broken: Why most attacks feel like a zero day (source)
- Interlock ransomware claims DaVita attack, leaks stolen data (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-06 | CVE-2023-0669 | Deserialization of Untrusted Data vulnerability in Fortra Goanywhere Managed File Transfer Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. | 7.2 |