Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data.
The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The issue was patched by the company in version 7.1.2 of the software in February 2023, but not before it was weaponized as a zero-day since January 18.
“The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments,” the company said. “For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments.”
While Netcat is a legitimate program for managing reading and writing data over a network, it’s currently not known how the JSP file was used in the attacks.
The investigation also found that CVE-2023-0669 was exploited against a small number of on-premise implementations running a specific configuration of the GoAnywhere MFT solution.
The development comes as Malwarebytes and NCC Group reported a spike in ransomware attacks during the month of March, largely driven by active exploitation of the GoAnywhere MFT vulnerability.
Cl0p’s exploitation spree marks the second time LockBit has been knocked off the top spot since September 2021. Other prevalent ransomware strains included Royal, BlackCat, Play, Black Basta, and BianLian.
It’s worth noting that the Cl0p actors previously exploited zero-day flaws in Accellion File Transfer Appliance (FTA) to breach several targets in 2021.
Source: https://thehackernews.com/
