Massive GoAnywhere RCE Exploit: Everything You Need to Know

  /     /     /  
Publicated : 23/11/2024   Category : security


Massive GoAnywhere RCE Exploit: Everything You Need to Know


Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.



Last week, the Cybersecurity and Infrastructure Security Agency (CISA)
added
three new entries to its Known Exploited Vulnerabilities catalog. Among them was
CVE-2023-0669
, a bug that has paved the way for exploits and follow-on ransomware attacks against hundreds of organizations in recent weeks.
The bug was discovered in GoAnywhere, a Windows-based file-sharing software from Fortra, formerly HelpSystems. According to its website, GoAnywhere is used at more than 3,000 organizations to manage documents of all kinds. According to
data from Enlyft
, most of those are large organizations — with at least 1,000 and, often, more than 10,000 employees — mostly based in the United States.
The bug tracked as CVE-2023-0669 allows hackers to remotely execute code in target systems, through the internet, without need for authentication. As of this writing, this vulnerability has not yet received an official
CVSS rating
from the National Vulnerability Database.
But we need not wonder about how dangerous it is, as hackers have already pounced. On Feb. 10 — days after
Fortra released a patch
— the
Clop ransomware gang claimed
to have exploited CVE-2023-0669 in over 130 organizations.
After three weeks and counting, its unclear whether or not more organizations are still at risk.
On Feb. 2, two abnormal commands triggered alerts in an IT environment monitored by endpoint detection and response (EDR) vendor Huntress. Both were executed on a host designated for processing transactions on the GoAnywhere platform, though the significance of this wasnt clear yet.
At first glance, the alert itself was fairly generic,
wrote Joe Slowik
, threat intelligence manager for Huntress. But further analysis revealed a more interesting set of circumstances.
An entity on this alerted network had attempted to download a file from a remote resource. Slowik and his colleagues tried to access the file themselves, but by then the port used to download it had been closed up. We dont really know for certain why, Slowik tells Dark Reading. Its possible that the adversary was working at a very rapid clip.
They did have the IP address of that entity, however, which traced back to Bulgaria, and was flagged as malicious by VirusTotal. The actor seemed to be from outside of the organization, and had used their first command to download and run a dynamic link library (DLL) file.
Knowing that the DLL was also executed further raised the risk level of the incident, Slowik says, since if it was malware that was downloaded, it is now running on the system.
There were other signs, too, that this was a compromise. But even after isolating the relevant server, a second server at the targeted organization became infected. We were worried that we had a very persistent adversary, Slowik recalls.
The researchers still lacked a copy of the downloaded malware, but all of the evidence surrounding it seemed to accord with activity previously associated with a malware family called Truebot. The post in the URI structure that was used mapped to earlier Truebot samples, Slowik says. The DLL exports that were referenced in order to launch the malware, or similar to historical tripod samples, as well as some strings and code structures, all matched. Within the samples themselves, all of it aligned very nicely with what had previously been reported in 2022 for Truebot.
Truebot has been linked to a
prolific

Russian

group

called

TA505
. Notably, TA505 has utilized the ransomware-as-a-service (RaaS) malware
Clop
in previous attacks.
On the same day as Slowiks investigation, reporter
Brian Krebs publicly republished an advisory Fortra
had sent to its users the day before. GoAnywhere was being exploited, its developers explained, and they were implementing a temporary service outage in response.
Whatever mitigations were taken werent enough. On Feb. 10, hackers behind the
Clop ransomware told Bleeping Computer
that they’d used the GoAnywhere exploit to breach over more than organizations.
CVE-2023-0669 is a cross-site request forgery (CSRF) but that arises from how unpatched GoAnywhere users install their software licenses.
Interestingly, it was as much a design choice as an oversight. Typically, installing a license involves downloading a license file from a server and uploading it to your device, explains Ron Bowes, lead security researcher for Rapid7, who released the most detailed publicized
analysis
of how an internal user could trigger the exploit. Fortra chose to make that whole process transparent, where the license is delivered through the administrators browser. That means the user gets a much smoother experience.
However, that seamlessness came at a cost. There is no CSRF protection (and the cookie is not actually required, so no authentication is required to exploit this issue), Bowes explained in his analysis. That means that this can, by design, be exploited via cross-site request forgery.
In its report, Rapid7 labeled the exploitability of this vulnerability as very high.
While the administration port should not be exposed to the internet, Bowes says, its very easy to configure it that way by mistake. And once an attacker understands the vulnerability, it can be exploited without any risk of crashing the application or corrupting data.
Rapid7 also labeled very high the value of such an exploit to an attacker. As Bowes explains, due to the nature of the application (managed file transfer, or MFT), its common for a GoAnywhere MFT server to sit on a network perimeter and to have the file transfer ports publicly exposed. This makes it a good target for both pivoting into an organizations internal network, and/or stealing potentially sensitive data directly off the target.
On Feb. 6, Fortra
fixed CVE-2023-0669
by adding what they call a license request token, Bowes explains, which is included in the encrypted request to Fortras server. It behaves exactly as a CSRF token would, preventing an attacker from leveraging an administrators browser.
As severe as the exploit is, only a fraction of GoAnywhere customers are vulnerable to outside hackers through CVE-2023-0669. However, even those without Internet-exposed GoAnywhere instances are still vulnerable to internal users or attackers who have gained initial compromise to a network via regular Web browsers.
The bug can be exploited remotely if an organization’s GoAnywhere administration port — 8000 or 8001 — is exposed on the Internet. As of last week, more than
1,000 GoAnywhere instances
 were exposed, but, Bleeping Computer explained, only 135 of those pertained to the relevant ports 8000 and 8001. Most of those vulnerable seem to have already been swept up in one big campaign by the Clop group.
We urgently advise all GoAnywhere MFT customers to apply this patch,
Fortra wrote in another advisory
to its internal customers. Particularly for customers running an admin portal exposed to the Internet, we consider this an urgent matter.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Massive GoAnywhere RCE Exploit: Everything You Need to Know