Fortra recently released (Jan 22nd) a security advisory for a ‘critical authentication bypass vulnerability’ (CVE-2024-2024) in their GoAnywhere MFT software. This most recent critical GoAnywhere MFT vulnerability, (with a CVSS score of 9.8/10) allows unauthorised users to bypass authentification and create admin users.
Any GoAnywhere versions preceeding version 7.4.1 (6.x from 6.0.1 and 7.x) are affected.
Fortra stresses that, as yet, there have been no detected exploit attempts. However, global online enterprise technology news publication The Register note that ‘it’s only a matter of time before exploit attempts start amassing in the near future’ as ‘proof of concept code is now publicly available.’
Second recent GoAnywhere MFT Vulnerability
This is the second GoAnywhere MFT vulnerability affecting users in the past twelve months. This time last year, users were affected by vulnerability CVE 2023-0669 (cvss score of 7.2) which required emergency patching.
This pre-authentication command injection vulnerability was subsequently exploited by the Clop ransomware group. Although this vulnerability was less severe than the most recent, it resulted in data breeches for over 130 organisations including Hitachi and Procter & Gamble.
Other MFT software targeted cyber-attacks in 2023
Another major MFT vulnerability came to light in May 2023 when Progress Software revealed an SQL injection flaw, (CVE-2023-34362) in its MoveIt MFT software.
As with the January 2023 GoAnywhere MFT vulnerability, the MoveIt file transfer vulnerability was exploited by the Clop ransomware gang (also known as TA505).
According to TechTarget, attackers compromised MoveIt File Transfer users and stole customer data. Soon after, ‘dozens of victims emerged, both through data breach disclosures as well as listings on Clop’s data leak site’ including ‘state and federal government agencies as well as British Airways, Extreme Networks and Siemens Energy.’
The FBI and CISA commented on the Progress Software attack:
‘Due to the speed and ease TA505 has exploited this vulnerability and based on their past campaigns, we expect to see widespread exploitation of unpatched software services in both private and public networks.’
Suggestion Action
Fortra has recommended that users upgrade to version 7.4.1 or higher and delete the InitialAccountSetup.xhtml file in non-container deployments, restarting the services. For container-deployed instances, replacing the file with an empty one and restarting services should mitigate the issue.
Need for Effective Attack Surface Management
As well as being an additional set-back for GoAnywhere MFT users (according to Fortra the product has 4,000+ customers) this recent vulnerability emphasises the growing need for effective attack surface management.
Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface.
Continuous monitoring of your external attack surface enables the detection and assessment of known and unknown vulnerabilities and attack vectors in real-time.
Security Ecosystem Visibility
As digital threats increase and cyber criminals become increasingly sophisticated, the roles of security operations centre analysts are more critical than ever.
IBM’s QRadar SIEM ensures you get complete visibility across your security ecosystem. It enables security teams to face today’s threats proactively with advanced AI, powerful threat intelligence, and access to cutting-edge content to maximize analyst potential.
Whether you need cloud-native architecture built for hybrid scale and speed or a solution to complement your on-premises infrastructure, QRadar SIEM seamlessly integrates with your existing threat detection tools to ensure you get complete visibility across your entire security ecosystem.
Take an interactive tour of IBM QRadar SIEM here .
Our SABREX team has decades of experience in best practice implementation and maintenance of file transfer systems. Contact our SABREX experts today for more information on increasing the security and resilience of your managed file transfer systems.