Patch Now: Latest GoAnywhere Vulnerability Ripe for Exploitation

Date:

January 24, 2024

World map

A proof-of-concept (POC) exploit that takes advantage of a newly discovered high severity bug (9.8/10) in the Fortra GoAnywhere MFT software (CVE-2024-0204) could allow attackers administrative permissions on a targeted device.

“Users who cannot upgrade to version 7.4.1 can apply temporary workarounds in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, it's recommended to replace the file with an empty file and restart,” The Hacker News reports.

"The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section. If the attacker has left this user here, you may be able to observe its last logon activity here to gauge an approximate date of compromise."

Takeaway: Attackers are getting more efficient at exploiting vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences in massive compromise campaigns.

Nowhere was this more evident than in the widespread exploitation of a vulnerability in the MOVEit managed file transfer software (CVE-2023-34362) the Cl0p ransomware gang leveraged to compromise more than 1000 victims in rapid succession over the summer in 2023.

The wave of attacks followed another earlier in the year where Cl0p successfully compromised more than a hundred targets by exploiting a bug in the GoAnywhere file transfer tool, and this latest POC puts the file sharing application back in the spotlight.

Research from last year found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019 for which patches were already available.  

Most of the vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for patching or were simply never addressed.

The marked increase in the exploitation of vulnerabilities by ransomware gangs is evidence that criminal actors are increasingly using more complex tactics that were previously only observed in state-supported operations, including instances where zero-days have been employed.

The bad news is that as attackers are getting more proficient at automating aspects of the attack progression by exploiting known vulnerabilities for initial access, lateral movement, security tool evasion, and payload delivery, so we will likely continue to see an escalation in the number of attacks.

Patching of vulnerabilities is critical, and there are only two reasons for an organization to fail to patch in a timely manner: they could have patched, but didn’t, or they wanted to but couldn’t.

Organizations who wanted to patch but couldn’t is where the real work needs to be done, because patching systems can be highly complex for some organizations.  

To avoid breaking critical business systems, patches often need to be applied in the development and tested prior to production. Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied.  

That’s why there can be weeks or months of preparatory work to do before they can deploy a patch throughout the network.

But for those who could have patched but didn’t, there is no excuse. If we could first address this issue of the “low hanging fruit” who offer attackers a ripe target via poor security protocols, we could certainly make a big dent in this ransomware growing threat.

The good news is that given these operations leverage exploits for well-documented vulnerabilities, it means we can detect and stop ransomware operators earlier in the attack sequence.

Many of the TTPs they employ are common and should help to reveal a host of detectable activity on the network that occurs long before the actual ransomware payload is delivered.

Organizations with the right controls in place stand a good chance of disrupting these attacks at initial ingress when these known exploits are likely to be used, or when the attackers begin to move laterally on the network and seek to escalate privileges.

The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.