Summary:
Exploit code has been released for a critical vulnerability in Fotra GoAnywhere MFT, a managed file transfer solution. Researchers from Horizon3 released exploit details for CVE-2024-0204, a critical authentication bypass vulnerability which was patched by Fortra on December 4, 2023, but only publicly revealed by the vendor on Monday.

The vulnerability is severe, receiving a CVSS score of 9.8, and allowing an unauthorized user to create an admin account via the product’s administration portal. From there, an adversary could take complete remote control of a victim’s environment and access their network.

Security Officer Comments:
The Clop ransomware group which carried out a prolific campaign against Progress’ MOVEit software vulnerability, have previously targeted GoAnywhere MFT in the past. The group managed to compromise data from around 100 victim organizations after exploiting a remote code execution flaw (CVE-2023-0669) in the Fortra MFT product. Among the victims at the time were pediatric mental health provider Brightline, which warned that data on over 780,000 children had been exposed in the compromise.

This newly disclosed exploit code will likely see threat actors probing GoAnywhere MFT installations. Researchers from Searchlight Cyber say they are already seeing threat actors discussing the exploit code in various cybercrime channels.

Suggested Corrections:
Horizon3 explained how concerned Fortra customers can check if they may have already been targeted.

“The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section. If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise,” it said.

“Additionally, logs for the database are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log. These files contain transactional history of the database, for which adding users will create entries.”

Users should apply the latest patches provided by Fortra, which address this vulnerability. We expect threat actors exploitation attempts to escalate over the next few hours and days.

Link(s):
https://www.infosecurity-magazine.com/news/exploit-code-critical-fortra/
https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive