An emergency patch (7.1.2) has been released for an actively exploited zero-day vulnerability found in the GoAnywhere MFT administrator console.
GoAnywhere MFT, which stands for managed file transfer, is a software solution that allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, mostly those with more than 10,000 employees and 1B USD in revenue.
Some of these organizations are part of vital infrastructures; such as local governments, financial companies, healthcare organizations, energy firms; and technology manufacturers. A breach resulting from a GoAnywhere exploitation would lead to a serious supply chain attack.
Fortra (formerly HelpSystems), the company behind GoAnwhere MFT and Cobalt Strike, released the patch to finally secure the vulnerability, which allows an attacker to perform unauthenticated remote code execution during instances when the administrator console is made accessible in the public internet. Florian Hauser (@frycos), IT security consultant at Code White, released a proof-of-concept (PoC) exploit for the vulnerability on Monday.
Brian Krebs of KrebsOnSecurity graciously shared what Fortra said in its advisory, which can only be accessed by creating a free account:
"The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS)." However, a scan using Shodan, the search engine for internet-connected devices, revealed more or less a thousand instances of exposed GoAnywhere admin panels, the majority of which were found in Europe and the US.
Shodan results came up after security professional Kevin Beaumont did some digging. He said the GoAnywhere admin consoles use ports 8000 and 8001. (Source: Kevin Beaumont on Mastadon)
Fortra urges clients to apply emergency patch 7.1.2 as quickly as possible. If for some reason you can't, Fortra says you should follow the mitigation steps it put out days before, which involves implementing some access control wherein the administrator console interface should only be accessed from trusted sources, or disabling the licensing service altogether. There is also a technical mitigation configuration shared in the advisory.
Furthermore, clients must take the following additional steps after applying the mitigation steps if they suspect that attackers have already compromised their systems:
- Rotate the master encryption key.
- Reset credentials.
- Review audit logs and delete suspicious admin or user accounts.
- Contact Fortra support by going to its portal, emailing technicians at email@example.com, or phoning them up at 402-944-4242.
We don't just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.