13 February 2023

Clop ransomware gang says it hacked 130 orgs using GoAnywhere zero-day


Clop ransomware gang says it hacked 130 orgs using GoAnywhere zero-day

The Clop ransomware group claims to have stolen sensitive data from 130 organizations using a recently disclosed zero day vulnerability affecting Fortra’s GoAnywhere MFT secure file transfer protocol.

Tracked as CVE-2023-0669, the bug is described as a deserialization of untrusted data issue in the administrative web interface, which could be exploited by a remote attacker to achieve remote code execution via a malicious request. Last week, Fortra released GoAnywhere MFT v 7.1.2 to address the zero-day vulnerability. According to a Shodan search query, there are nearly 1,000 GoAnywhere instances exposed on the internet.

Clop told the tech news site BleepingComputer that they had allegedly stolen the data over the course of ten days after breaching vulnerable instances. The gang has also said they decided against encrypting the breached servers with ransomware. At this stage, it’s not clear whether the hackers’ claims are true, as they didn’t provide any proof of the hacks.

BleepingComputer said it “could not independently confirm Clop's claims, and Fortra has not replied to emails asking for more info regarding CVE-2023-0669 exploitation and the ransomware group's allegations.”

Last week, researchers with cybersecurity firm Huntress released a technical report detailing a ransomware incident involving the GoAnywhere MFT vulnerability where a downloader called TrueBot was deployed. Previously TrueBot had been linked to a threat actor referred to as “Silence,” which has been active in some form since 2016, with TrueBot serving as an initial access, post-compromise tool for the entity’s operations.

The company has linked this attack to TA505, a financially motivated threat group known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.

“While links are not authoritative, analysis of Truebot activity and deployment mechanisms indicate links to a group referred to as TA505. Distributors of a ransomware family referred to as Clop, reporting from various entities links Silence/Truebot activity to TA505 operations. Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose,” the report said.

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) has also added the GoAnywhere MFT bug to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to address it by March 3, 2023.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024