Security News > 2023 > April > Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks

Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks
2023-04-20 11:22

Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data.

"The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments," the company said.

While Netcat is a legitimate program for managing reading and writing data over a network, it's currently not known how the JSP file was used in the attacks.

The investigation also found that CVE-2023-0669 was exploited against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution.

The development comes as Malwarebytes and NCC Group reported a spike in ransomware attacks during the month of March, largely driven by active exploitation of the GoAnywhere MFT vulnerability.

"The ransomware-as-a-service provider, Cl0p, successfully exploited the GoAnywhere vulnerability and was the most active threat actor observed, with 129 victims in total," NCC Group said.

News URL

Related Vulnerability

2023-02-06 CVE-2023-0669 Deserialization of Untrusted Data vulnerability in Fortra Goanywhere Managed File Transfer
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.
low complexity
fortra CWE-502