Exploit Code Released For Critical Fortra GoAnywhere Bug

Written by

Threat actors could soon strike after a proof-of-concept exploit was published for a critical vulnerability in managed file transfer (MFT) software Fortra GoAnywhere MFT yesterday.

Horizon3 published details on how to exploit CVE-2024-0204, a critical authentication bypass vulnerability which was patched by Fortra on December 4 2023 but only publicly revealed by the vendor on Monday.

The bug is given a CVSS score of 9.8 and could allow an unauthorized user to create an admin user via the product’s administration portal – thus enabling them to take complete remote control of a customer’s environment and access their network.

GoAnywhere MFT was last year targeted by the infamous Clop extortion group in a similar way to its infamous MOVEit campaign.  

The group managed to compromise data from around 100 victim organizations after exploiting a remote code execution flaw (CVE-2023-0669) in the Fortra MFT product.

Read more on Fortra GoAnywhere MFT: Clop Ransomware Group Exploits GoAnywhere MFT Flaw

Among the victims at the time were pediatric mental health provider Brightline, which warned that data on over 780,000 children had been exposed in the compromise.

It’s highly likely now that exploit code has been published that threat actors will probe for unpatched GoAnywhere MFT installations. In fact, one vendor is already seeing chatter in cybercrime circles.

“We have already observed proof-of-concept exploit code being circulated this morning by threat actors in at least one Telegram channel,” warned Searchlight Cyber threat intelligence engineer, Joe Honey. “We strongly advise that organizations prioritize the patch that has been released and monitor the admin users group inside the software for any unrecognized activity"

Horizon3 explained how concerned Fortra customers can check if they may have already been targeted.

“The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section. If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise,” it said.

“Additionally, logs for the database are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log. These files contain transactional history of the database, for which adding users will create entries.”

What’s hot on Infosecurity Magazine?