The Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, claiming to have stolen data from more than 130 organizations.

The security flaw, now identified as CVE-2023-0669allows attackers to achieve remote code execution on unpatched GoAnywhere MFT instances with their admin console exposed to internet access.

Clop contacted BleepingComputer and told us that they allegedly stole the data for ten days after breaching servers that were vulnerable to exploits targeting this bug.

However, the gang declined to provide evidence or share any additional details regarding their claims when BleepingComputer asked them when the attacks started, if they had already started extorting their victims, and what ransoms they were demanding.

They also claimed they could move laterally through their victims’ networks and deploy ransomware payloads to encrypt their systems, but decided against it and only stole documents stored on the servers. GoAnywhere MFT compromised.

BleepingComputer could not independently confirm Clop’s claims, and Fortra did not respond to emails requesting more information regarding the exploitation of CVE-2023-0669 and the ransomware group’s claims.

Actively Exploited Flaw in Secure File Transfer Tool

Fortra, developer of GoAnywhere MFT (formerly known as HelpSystems) disclosed to its customers over the weekend that the vulnerability was being exploited as day zero in the wild.

Monday, a proof-of-concept exploit was also published onlineallowing unauthenticated remote code execution on vulnerable servers.

The company issued emergency security updates the next day to allow customers to secure their servers against incoming attack attempts.

Since then, Fortra has posted another update on its support website (accessible only after logging in with a user account) on Thursday, stating that some of its MFTaaS instances were also hacked in the attacks.

“We have determined that an unauthorized party gained access to the systems through a previously unknown exploit and created unauthorized user accounts,” Fortra said.

“As part of our actions to resolve this issue and out of an abundance of caution, we have implemented a temporary service outage. Service continues to be restored on a customer-by-customer basis as mitigation measures are applied and verified in each environment.

“We work directly with clients to assess their individual potential impact, apply mitigation measures and restore systems.”

CISA too added the CVE-2023-0669 GoAnywhere MFT vulnerability to itsCatalog of known exploited vulnerabilities Friday, ordering federal agencies to patch their systems within the next three weeks, through March 3.

While Shodan shows that more than 1,000 GoAnywhere instances are exposed online, only 135 are on ports 8000 and 8001 (those used by the vulnerable administration console).

Clop’s Accellion Extortion Attacks

Clop’s alleged use of zero-day GoAnywhere MFT to steal data is a tactic very similar to the one they used in December 2020, when they discovered and exploited a Zero Day Accellion FTA vulnerability to steal the data of about 100 companies.

At the time, companies were receiving emails demanding the payment of a $10 million ransom to prevent their data from being publicly disclosed.

During the 2020 Accellion attacks, Clop operators stole large amounts of data from leading companies using Accellion’s former File Transfer Appliance (FTA).

Organizations whose servers have been hacked by Clop include, among others, energy giant Shell, supermarket giant Kroger, cybersecurity company Qualysand several universities around the world (for example, Stanford Medicine, University of ColoradoUniversity of Miami, University of Maryland Baltimore (UMB) and University of California).

In June 2021, part of Clop’s infrastructure was shut down following an international law enforcement operation dubbed Operation Cyclone when six money launderers who provided services to the Clop ransomware gang were arrested in Ukraine.

The gang has also been linked to ransomware attacks around the world since at least 2019. Some victims whose servers were encrypted by Clop include Maastricht University, AG IT software, ExecuPharmAnd Indebulls.