Second ransomware group reported exploiting GoAnywhere security flaw
BlackCat has officially joined Clop in exploiting GoAnywhere flaw
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The Clop ransomware group is no longer the only threat actor that successfully leveraged the GoAnywhere MFT vulnerability to target an organization.
As discovered by cybersecurity researchers At-Bay, knownransomwarethreat actor BlackCat (AKA ALPHV) has also used the flaw to target an unnamed U.S. business back in February 2023.
“This latest exploitation of the GoAnywhere MFT vulnerability against a U.S. business by the highly-active BlackCat group raises the stakes on remediation,” At-Bay’s Ido Lev writes. “The vulnerability is a good example of how cybercriminals don’t just go after the most prevalent or publicly-known CVE disclosures. The most important indicator of risk isn’t just the score that’s given to the vulnerability, but how easily it can be exploited by cybercriminals in-the-wild, at scale, to achieve a desired outcome.”
Attacking dozens of companies
GoAnywhere MFT is a secure file transfer service, built by Fortra, and used by some of the world’s biggest organizations.
In February this year, it was discovered that a Russian threat actor known as Clop used a vulnerability in the product, now tracked as CVE-2023-0669, to infiltrate more than a hundred organizations and get away with their sensitive data.
Clop ransomware may have infected even more victims than previously thought>Saks Fifth Avenue becomes latest Clop ransomware victim>Check out the best malware removal services right now
“A zero-day remote code injection exploit was identified in GoAnywhere MFT,” Fortra said at the time. “The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”
Among the compromised companies are Hitachi Bank, Hatch Energy, Saks Fifth Avenue, Procter & Gamble, and many more.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
To protect against these attacks, researchers are saying, GoAywhere MFT users should make sure to apply the latest patch and get their software up to at least version 7.1.2.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
