Researchers from cybersecurity firm Censys have found that dozens of organizations are still at risk of being hacked via a zero-day vulnerability in GoAnywhere MFT, a web-based file transfer tool. The Clop ransomware group has exploited the vulnerability, tracked as CVE-2023-0669, since February.
Toronto and Tasmania governments were affected along with large corporations such as Proctor & Gamble, Virgin and Hitachi. The vulnerability was patched in February but the ransomware group claimed to have hacked more than 130 organizations.
Security company At-Bay confirmed that the BlackCat/AlphV group used the vulnerability to attack an unnamed US business in February.
Censys found that nearly 180 hosts were running exposed GoAnywhere MFT admin panels over two months after the vulnerability was disclosed, with 30% still unpatched. The report warned that a single vulnerable instance could be the gateway to a data breach that could affect millions.
Security experts are alarmed because other ransomware groups have now been seen exploiting the vulnerability. At-Bay said the vulnerability was being targeted because the tool is designed to handle the secure transfer of sensitive data for organizations.
It recommended that users install the patch as soon as possible, especially if their admin portals are accessible from the internet.
The research showed that there has been a slow patch response since the fix was released in February, with a 46% decrease in the number of exposed GoAnywhere panels. As of 25 April, over 179 hosts were still running exposed instances, with 55 of these “showing indications of running vulnerable versions of the software”.
A Fortra spokesperson said that a blog published on 17 April was the company’s “official statement on the incident and we have no further comment.” In the blog, the company said it had determined that customers running an admin portal exposed to the internet were at increased risk and had communicated with them regarding mitigation of this risk.
