An exploit has appeared on the network for a zero-day vulnerability actively used by hackers in the GoAnywhere MFT administration console. Fortra, the company behind the GoAnywhere MFT, was forced to release an emergency patch to fix this bug.
GoAnywhere MFT is a file transfer tool designed to help organizations securely share files with partners and maintain audit trails of who has accessed shared files. Behind its creation is Fortra (formerly known as HelpSystems), which also develops the well-known and widely used Cobalt Strike tool, aimed at pentesters and the red team, and focused on operation and post-operation.
At the end of last week, well-known information security journalist Brian Krebs warned in his Mastodon that Fortra developers discovered an RCE exploit and attacks on the GoAnywhere MFT, after which they were forced to temporarily disable their SaaS service.
At the same time, the company’s official announcement stated that the exploitation of the vulnerability requires access to the administrative console, which under normal conditions should not be accessible via the Internet at all. However, Shodan detects about 1000 available GoAnywhere instances on the Internet (although only about 140 installations were seen on ports 8000 and 8001, which are the defaults used by the affected admin console).
The company reported (access to the bulletin is possible only for clients with an account) that the vulnerability is already being used in attacks. Fortra has listed indicators of compromise for potentially affected clients, including a specific stack trace that should appear in compromised system logs.
Just a couple of days later, on Monday, researcher Florian Hauser of Code White, an information security consulting company, released the technical details of the vulnerability in the GoAnywhere MFT and the PoC exploit code. According to him, the problem allowed remote code execution on vulnerable GoAnywhere MFT servers without authentication.
Today, February 7, 2023, Fortra finally released an emergency patch for this 0-day vulnerability (7.1.2) and urged all customers to install it as soon as possible. The company emphasized that “customers using the administration portal available via the Internet” should take care of especially urgent installation of the fix.