Cl0p ransomware group—which recently made news with its Linux variant—now claims that it stole data from hundreds of organizations by exploiting a zero-day RCE vulnerability in the GoAnywhere MFT secure file transfer tool.
About the attack campaign
The Cl0p group told BleepingComputer that it stole data from over 130 organizations over the course of 10 days after exploiting the bug CVE-2023-0669.
- The group was able to gain remote code execution capabilities on unpatched GoAnywhere MFT instances via the administrative console exposed to internet access.
- As per the claim, hackers could move laterally through its victims’ networks and deploy ransomware payloads to encrypt their systems.
- However, it only stole the documents stored on compromised GoAnywhere MFT servers.
No proof of extortion
The ransomware group refused to provide any proof or share additional details such as when the attacks began, how much ransom it demanded, and whether it has already started extorting the victims.
Alerts and patches
- GoAnywhere MFT's developer Fortra disclosed about the active exploitation of the flaw in the secure file transfer tool and a PoC exploit was also released online around the same time.
- The CISA added the GoAnywhere MFT bug to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to patch their systems until March 3.
More threat actors target the flaw
Another report by Huntress researchers linked hacking group TA505 with the recent exploitation of the RCE vulnerability in GoAnywhere MFT software.
- While TA505 has a long history with Clop ransomware, recent attacks overlap with Silence/Truebot activity.
- It is possible that both groups TA505 and Cl0p are working collectively to exploit vulnerable GoAnywhere MFT software.
Worth noting
The opportunistic exploitation of GoAnywhere MFT vulnerability by Cl0p is quite worrisome. Thus, victim organizations are suggested to avoid paying the ransom, use available backups, and take a layered approach to secure systems in the future.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/95c2_shutterstock_1918709732.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/abfc_shutterstock_265907960.jpg)
