GoAnywhere MFT zero-day flaw actively exploited

Threat
actors
are
actively
exploiting
a
zero-day
vulnerability
affecting
Fortra’s
GoAnywhere
MFT
managed
file
transfer
application.

Experts
warn
that
threat
actors
are
actively
exploiting
a
zero-day
vulnerability
in
Fortra’s
GoAnywhere
MFT
managed
file
transfer
application.

The
popular
investigator
Brian
Krebs
first
revealed
details
about
the
zero-day
on
Mastodon
and
pointed
out
that
Fortra
has
yet
to
share
a
public
advisory.

“GoAnywhere
MFT,
a
popular
file
transfer
application,
is
warning
about
a
zero-day
remote
code
injection
exploit.
The
company
said
it
has
temporarily
implemented
a
service
outage
in
response.”


Krebs
wrote
on
Mastodon.
“I
had
to
create
an
account
on
the
service
to
find
this
security
advisory”

According
to
the
private
advisory
published
by
Fortra,
the
zero-day
is
a
remote
code
injection
issue
that
impacts
GoAnywhere
MFT.
The
vulnerability
can
only
be
exploited
by
attackers
with
access
to
the
administrative
console
of
the
application.

“A
Zero-Day
Remote
Code
Injection
exploit
was
identified
in
GoAnywhere
MFT.
The
attack
vector
of
this
exploit
requires
access
to
the
administrative
console
of
the
application,
which
in
most
cases
is
accessible
only
from
within
a
private
company
network,
through
VPN,
or
by
allow-listed
IP
addresses
(when
running
in
cloud
environments,
such
as
Azure
or
AWS).”
reads
the
advisory.
“If
the
administrative
console
is
exposed
to
the
public
internet,
it
is
highly
recommended
partnering
with
our
customer
support
team
to
put
in
place
appropriate
access
controls
to
limit
trusted
sources.
The
Web
Client
interface,
which
is
normally
accessible
from
the
public
internet,
is
not
susceptible
to
this
exploit,
only
the
administrative
interface.”

Installs
with
administrative
consoles
and
management
interfaces
that
are
not
exposed
on
the
internet
are
safe,
however,
security
researcher
Kevin
Beaumont


discovered
about
1000
Internet-facing
consoles.

Fortra
recommends
GoAnywhere
MFT
customers
to
review
all
administrative
users
and
monitor
for
unrecognized
usernames,
especially
those
created
by
system.

“The
logical
deduction
is
that
Fortra
is
likely
seeing
follow-on
attacker
behavior
that
includes
the
creation
of
new
administrative
or
other
users
to
take
over
or
maintain
persistence
on
vulnerable
target
systems.”
reads
a


post
published
by
Rapid7.
“Note
that,
while
this
is
not
mentioned
explicitly
in
the
pasted
Fortra
advisory
text,
it
is
also
possible
that
threat
actors
may
be
able
to
obtain
administrative
access
by
targeting
reused,
weak,
or
default
credentials.”

Fortra
has
yet
to
address
the
flaw,
meantime
the
company
recommends
removing
the
“License
Response
Servlet”
configuration
from
the
web.xml
file
as
a
temporary
solution.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
GoAnywhere
MFT)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts