Experts have warned against active exploitation of a zero-day bug in Fortra’s GoAnywhere MFT app. The company has promptly released an emergency patch for the flaw.
Diving into details
The vulnerability is an RCE flaw that involves gaining access to the administrative console of the secure file transfer tool. This is usually accessible via a private company network, allow-limited IP addresses, or VPN.
However, a Shodan scan revealed that around 1,000 GoAnywhere MFT instances are publicly exposed while 140 of those can be accessed on ports 8000 and 8001.
Furthermore, it is very likely that the attackers have gained administrative access by targeting default, reused, and weak credentials.
POC exploit code
A POC exploit code against vulnerable GoAnywhere MFT servers has also been developed. Security researcher Florian Hauser of Code White has prepared technical information and proof-of-concept attack code. He said, “I could provide a working PoC to my teammates within hours on the same day to protect our clients first.”
Mitigations
While the foremost step is to apply the GoAnywhere MFT patch immediately, if not possible, the following are the measures to be taken:
Implement access controls to grant access to the admin interface only from trusted sources or disable the licensing service.
Since it is possible that the threat actors compromised the data in the environment, organizations should ascertain if there are any stored credentials in the environment and revoke them.
The above mitigation applies to all keys and passwords used to access any external systems integrated with GoAnywhere MFT.
The bottom line
While there is no silver bullet solution to keeping a company or organization safe in the digital age, vulnerability management and patching are some of the best defenses against these threats. Therefore, applying the patch as soon as possible and following the above mitigation steps is recommended to stay safe from the successful exploitation of the GoAnywhere MFT flaw.