Security News > 2023 > February > Clop ransomware claims to be behind GoAnywhere zero-day attacks
The Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.
The gang refused to share additional details regarding their claims when BleepingComputer asked them when the attacks began, if they'd already started extorting their victims, and what ransoms they were asking for.
CISA also added the CVE-2023-0669 GoAnywhere MFT vulnerability to its ?Known Exploited Vulnerabilities Catalog on Friday, ordering federal agencies to patch their systems within the next three weeks, until March 3rd. While Shodan shows that over 1,000 GoAnywhere instances are exposed online, only 135 are on ports 8000 and 8001.
Clop's alleged use of the GoAnywhere MFT zero-day to steal data is a very similar tactic to the one they used in December 2020, when they discovered and exploited an Accellion FTA zero-day vulnerability to steal the data of approximately 100 companies.
In June 2021, some of Clop's infrastructure was shut down following an international law enforcement operation codenamed Operation Cyclone when six money launderers who provided services to the Clop ransomware gang were arrested in Ukraine.
The gang has also been linked to ransomware attacks worldwide since at least 2019.
News URL
Related news
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Ransomware gang creates tool to automate VPN brute-force attacks (source)
- SANS Institute Warns of Novel Cloud-Native Ransomware Attacks (source)
- ⚡ THN Weekly Recap: Router Hacks, PyPI Attacks, New Ransomware Decryptor, and More (source)
- BlackLock ransomware claims nearly 50 attacks in two months (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Texas State Bar warns of data breach after INC ransomware claims attack (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-06 | CVE-2023-0669 | Deserialization of Untrusted Data vulnerability in Fortra Goanywhere Managed File Transfer Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. | 7.2 |