The Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, claiming to have stolen data from more than 130 organizations.

The security flaw, now identified as CVE-2023-0669allows attackers to achieve remote code execution on unpatched GoAnywhere MFT instances with their admin console exposed to internet access.

Clop contacted BleepingComputer and told us that they allegedly stole the data for ten days after breaching servers that were vulnerable to exploits targeting this bug.

They also claimed they could move laterally through their victims’ networks and deploy ransomware payloads to encrypt their systems, but decided against it and only stole documents stored on the servers. GoAnywhere MFT compromised.

The gang declined to provide evidence or share any additional details regarding their claims when BleepingComputer asked them when the attacks began, if they had already started extorting their victims, and what ransoms they were demanding.

BleepingComputer could not independently confirm Clop’s claims, and Fortra did not respond to emails requesting more information regarding the exploitation of CVE-2023-0669 and the ransomware group’s claims.

However, Huntress Threat Intelligence lead Joe Slowik linked GoAnywhere MFT attacks to TA505a threat group known to have deployed Clop ransomware in the past, while investigating an attack where TrueBot malware downloader was deployed.

“Although the links are not authoritative, analysis of Truebot activity and deployment mechanisms indicate links to a group called TA505. Distributors of a ransomware family called Clop, reports from various entities link the Silence/Truebot activity to TA505 operations,” Slowik said. .

“Based on the actions observed and previous reports, we can conclude with moderate confidence that the activity observed by Huntress was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose.”

Actively Exploited Flaw in Secure File Transfer Tool

Fortra, developer of GoAnywhere MFT (formerly known as HelpSystems) disclosed to its customers last week that the vulnerability was being exploited as day zero in the wild.

Monday, a proof-of-concept exploit was also published onlineallowing unauthenticated remote code execution on vulnerable servers.

The company issued emergency security updates the next day to allow customers to secure their servers against incoming attack attempts.

Since then, Fortra has posted another update on its support website (accessible only after logging in with a user account) on Thursday, stating that some of its MFTaaS instances were also hacked in the attacks.

“We have determined that an unauthorized party gained access to the systems through a previously unknown exploit and created unauthorized user accounts,” Fortra said.

“As part of our actions to resolve this issue and out of an abundance of caution, we have implemented a temporary service outage. Service continues to be restored on a customer-by-customer basis as mitigation measures are applied and verified in each environment.

“We work directly with clients to assess their individual potential impact, apply mitigation measures and restore systems.”

CISA too added the CVE-2023-0669 GoAnywhere MFT vulnerability to itsCatalog of known exploited vulnerabilities Friday, ordering federal agencies to patch their systems within the next three weeks, through March 3.

While Shodan shows that more than 1,000 GoAnywhere instances are exposed online, only 135 are on ports 8000 and 8001 (those used by the vulnerable administration console).

Clop’s Accellion Extortion Attacks

Clop’s alleged use of zero-day GoAnywhere MFT to steal data is a tactic very similar to the one they used in December 2020, when they discovered and exploited a Zero Day Accellion FTA vulnerability to steal the data of about 100 companies.

At the time, companies were receiving emails demanding the payment of a $10 million ransom to prevent their data from being publicly disclosed.

During the 2020 Accellion attacks, Clop operators stole large amounts of data from leading companies using Accellion’s former File Transfer Appliance (FTA).

Organizations whose servers have been hacked by Clop include, among others, energy giant Shell, supermarket giant Kroger, cybersecurity company Qualysand several universities around the world (for example, Stanford Medicine, University of ColoradoUniversity of Miami, University of Maryland Baltimore (UMB) and University of California).

In June 2021, part of Clop’s infrastructure was shut down following an international law enforcement operation dubbed Operation Cyclone when six money launderers who provided services to the Clop ransomware gang were arrested in Ukraine.

The gang has also been linked to ransomware attacks around the world since at least 2019. Some victims whose servers were encrypted by Clop include Maastricht University, AG IT Software, ExecuPharmAnd Indebulls.

Updated February 10, 3:25 p.m. EST: Added a section showing that Huntress linked GoAnywhere MFT attacks to threat actors known to deploy Clop ransomware.