Cl0p Ransomware Group Targets Multiple Entities By Exploiting CVE-2023-0669 in GoAnywhere MFT

CloudSEK’s contextual AI digital risk platform XVigil discovered a number of companies being targeted by a ransomware group named Cl0p recently.
Updated on
April 19, 2023
Published on
March 29, 2023
Read MINUTES
6
Subscribe to the latest industry news, threats and resources.

Executive Summary

CloudSEK’s contextual AI digital risk platform XVigil  discovered a number of companies being targeted by a ransomware group named Cl0p recently. It has also been established by some researchers that the Cl0p ransomware group has been exploiting the CVE-2023-0669 in GoAnywhere MFT. The exploit for this CVE was available a day before the patch (7.1.2) was released on February 7, 2023. Many vulnerable admin panels of GoAnywhere were found to be indexed on Shodan running on port 8000.

Cl0p ransomware is a high-profile ransomware strain that has been active since 2019. The group is also popularly known for its "double extortion" tactic, where stolen data is also threatened to be released unless a ransom is paid.

The vulnerability is caused due of a deserialization bug exploited by sending a post request to the endpoint at ‘/goanywhere/lic/accept’. A Metasploit module is also available to exploit it.

GoAnywhere MFT is a tool that helps people securely share files between different systems, employees, customers, and partners. 

Detailed Analysis

The GoAnywhere web client interface (generally accessible from the internet) is not vulnerable to this exploit, only the administrative interface is. The threat actors can also search for web client interfaces on the internet and then try to find admin panels on the same IP.

Image 1: Instances of Goanywhere MFT still exposed on the web

Shodan search results indicate that thousands of web panels for GoAnywhere are exposed on the web. Of these thousands, around 94 of them are running on port 8000 or port 8001 where the admin panel (separate from the web panel) is located. In order to obtain remote code execution, only a post request needs to be made to the vulnerable endpoint.

USA contains a majority of these vulnerable GoAnywhere MFT instances and hence most of the recent victims of the Cl0p ransomware group are from that region.

About Cl0p Ransomware

Cl0p ransomware is a high-profile ransomware strain that has been active since 2019. The ransomware is a highly sophisticated and dangerous strain that has been popular to historically target Microsoft Exchange servers by exploiting ProxyShell vulnerabilities. In the past, the group has also targeted the healthcare sector primarily and goes after data servers that have sensitive information.

The group is also popularly known for its "double extortion" tactic, where stolen data is also threatened to be released unless a ransom is paid.

Common Attack Vectors

While ransomware is typically distributed through multiple techniques, we see an increase in the number of victims via server software vulnerabilities. Since there are multiple affiliates of the group, here are some different techniques used by the group.

  • Phishing emails
  • Exploited vulnerabilities
  • Possibility of spreading through exfiltrated credentials from information stealers.
  • Zero days being exploited actively in the wild.

Vulnerability Analysis

The vulnerability is an insecure deserialization bug that allows Remote Code Execution (RCE). The vulnerable code is located in the administration console of GoAnywhere MFT and relies on JGroups clustering message exchange library. The vulnerable code can be found in a class called LicenseResponseServlet which extends HttpServlet

Image 2: Vulnerable code

The vulnerability is caused by the doPost method which takes an unvalidated user input parameter and then passes it to a method call at [2], which leads to the LicenseAPI.getResponse method.  From there, the vulnerability goes into com.linoma.license.gen2.LicenseController.getResponse method, which is where the code is actually vulnerable to deserialization.

A Metasploit module is also available for exploiting this vulnerability. A POC tool has also been released on GitHub which takes the object containing malicious code stored in a bin file and encrypts it. The encrypted object is sent via a post request to the vulnerable endpoint at ‘/goanywhere/lic/accept’ after which the library tries to deserialize it and Remote Code Execution is achieved. 

Image 3: A malicious post request with an exploit as payload

Mitigation

  • Update your system and stop exposing port 8000 where the GoAnywhere MFT admin panel is situated on the internet.
  • Login to your account and follow the steps mentioned in the security advisory at GoAnywhere
  • Review admin user accounts for suspicious activity, including unrecognized usernames, accounts created by 'system' that aren't recognized, suspicious timing of account creation, and non-existent or disabled super users creating accounts.
  • Contact GoAnywhere MFT support via the portal, email, or phone for assistance.

References

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations