Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept.
As of Thursday afternoon, there was no evidence of active exploitation.
Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code.
They suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals and the majority being patched.
The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software's administration portal.
This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations.
Fortra responded by releasing a patch on January 22, urging immediate action from security teams.
The company had notified customers on December 4 and released the patch on December 7.
Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.
Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency has not included the vulnerability in its Known Exploited Vulnerabilities catalog.
Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data.
Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly.
Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.
With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw.
While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT to the catalog.
This Cyber News was published on www.cysecurity.news. Publication date: Sat, 27 Jan 2024 14:13:04 +0000