Feb 04, 2023Ravie Lakshmanan
A zero-day vulnerability affecting Fortra’s GoAnywhere MFT
managed file transfer application is being actively exploited in
the wild.
Details of the flaw were first publicly shared[1]
by security reporter Brian Krebs on Mastodon. No public advisory
has been published by Fortra.
The vulnerability is a case of remote code injection that
requires access to the administrative console of the application,
making it imperative that the systems are not exposed to the public
internet.
According to security researcher Kevin Beaumont, there are over
1,000 on-premise instances that are publicly accessible over the
internet, a majority of which are located in the U.S.
“The Fortra advisory Krebs quoted advises GoAnywhere MFT
customers to review all administrative users and monitor for
unrecognized usernames, especially those created by system,” Rapid7
researcher Caitlin Condon said[2].
“The logical deduction is that Fortra is likely seeing follow-on
attacker behavior that includes the creation of new administrative
or other users to take over or maintain persistence on vulnerable
target systems.”
Alternatively, the cybersecurity company said it’s possible for
threat actors to exploit reused, weak, or default credentials to
obtain administrative access to the console.
There is no patch currently available for the zero-day
vulnerability, although Fortra has released workarounds to remove
the “License Response Servlet” configuration from the web.xml
file.
Vulnerabilities in file transfer solutions have become appealing
targets for threat actors, what with flaws in Accellion[3]
and FileZen[4]
weaponized for data theft and extortion.
Found this article interesting? Follow us on Twitter [5]
and LinkedIn[6]
to read more exclusive content we post.
References
Read more https://thehackernews.com/2023/02/warning-hackers-actively-exploiting.html