CLOP Ransomware Gang Hits 24 Victims in One Day Using GoAnywhere 0-Day Vulnerability

 

The notorious CLOP ransomware gang recently stepped up their attacks against public and corporate infrastructure using GoAnywhere, a managed file transfer software, which is still vulnerable to a 0 day exploit named CVE-2023-0669. This escalation in attacks resulted in 24 victims being released in just one day, as of March 17, 2023 as delivered from FalconFeedsio's Twitter.

CLOP #ransomware group has added 24 new victims to their list.

Victims:
-USWELLNESS.COM,
-ALLIEDBENEFIT.COM,
-GUINNESSPARTNERSHIP.COM,
-HOMEWOODHEALTH.COM,
-ITXCOMPANIES.COM,
-RIOTINTO.COM,
-INVESTQUEBEC.COM,
-MEDEXHCO.COM,
-NEWEUROPEANOFFSHORE.COM,
-GALDERMA.COM,… https://t.co/Gu8ouTc20G pic.twitter.com/dDG4cmcXlh

— FalconFeedsio (@FalconFeedsio) March 17, 2023

The vulnerability was discovered by security researcher Florian Hauser of Code White, who released technical details and a proof-of-concept exploit code that performs unauthenticated remote code execution on vulnerable GoAnywhere MFT servers. The exploit requires access to the administrative console of the application, which is typically only accessible from within a private company network or through a VPN. However, a Shodan scan revealed that nearly 1,000 GoAnywhere instances were exposed on the internet, making them vulnerable to attacks.

Despite the severity of the vulnerability, the company has not publicly acknowledged the flaw and has not released any security updates to address the issue, leaving all exposed installations vulnerable to attacks. The private advisory contains indicators of compromise and mitigation advice, including implementing access controls or disabling the licensing service.

To prevent further attacks, companies that use GoAnywhere should take immediate action to mitigate the vulnerability by implementing access controls to allow access to the GoAnywhere MFT administrative interface only from trusted sources, or disabling the licensing service. It is also recommended to rotate the master encryption key, reset credentials for all external trading partners/systems, review audit logs, and delete any suspicious admin and/or web user accounts.

In conclusion, companies must remain vigilant against ransomware attacks and continuously update their security measures to ensure the safety of their networks and data. Regular security assessments, penetration testing, and employee training can also help prevent future attacks.