A ransomware threat actor is exploiting a vulnerability in GoAnywhere to launch a spree of attacks, claiming dozens of additional victims, according to threat researchers.
More than 60 organizations were hit between March 22 and March 24, said Adam Meyers, SVP of intelligence at CrowdStrike. The latest attacks come after threat actors affiliated with Clop, also known as Cl0p, claimed more than 130 victims in early February.
Fortra, the company behind the file-transfer service, said it was first made aware of suspicious activity in some instances of GoAnywhere on Jan. 30. Fortra released a patch for the actively exploited zero-day vulnerability, which is being tracked as CVE-2023-0669, a week later.
This marks the second known global spree of ransomware attacks this year, both of which included subsequent bursts of activity. A ransomware variant dubbed ESXiArgs hit thousands of VMware servers in February.
“Carrying out mass exploitation and encryption attacks has a lot of appeal to ransomware groups and they will likely continue to experiment with this model,” Allan Liska, threat intelligence analyst and solutions architect at Recorded Future, said via email.
For Liska, this campaign serves as a reminder that ransomware groups have the resources and organization necessary to research or buy zero-day vulnerabilities and carry out mass attacks.
Attacks linked to the GoAnywhere vulnerability haven’t involved encryption thus far, but Clop threat actors claim to have breached organizations systems and exfiltrated data, said Brett Callow, threat analyst at Emsisoft.
New victims listed on Clop’s leak site include Procter & Gamble, Virgin, Saks Fifth Avenue and others.
“Service providers and platform providers are extremely attractive targets for ransomware operators as they can enable multiple client organizations to be compromised in one fell swoop,” Callow said via email.
Researchers are awaiting further details to assess the potential damage caused by these attacks, but mass breaches “can result in an enormous amount of data — let’s call it phishing bait — falling into bad actors’ hands,” Callow said.
The attacks are opportunistic, Meyers said, adding: “They found a vulnerability they could reliably exploit and they used it before they could lose it” once organizations patch the vulnerability.
The vulnerability allows threat actors to gain remote code execution on unpatched GoAnywhere systems with an administrative panel exposed to the internet.
Mass attacks, akin to the Kaseya ransomware attack in 2021, eat up significant resources across impacted companies, partners, vendors and external incident response teams, Liska said.
“Teams have to spend weeks patching and assessing the damage from the attack, notifying partners or customers that may have been impacted and recovering from the attack,” Liska said. “If your organization was impacted by ESXiArgs and your organization also had GoAnywhere installed, you might not be fully recovered from the first attack before you were forced to address the second one.”
The Department of Health and Human Services issued an alert about Clop on Feb. 22 after the group claimed responsibility for an initial mass attack that hit more than 130 organizations, including some in the healthcare industry. The Cybersecurity and Infrastructure Security Agency declined to comment on the latest wave of attacks.
A Fortra spokesperson said the company is notifying customers who may be impacted and sharing instructions on how to apply the patch. “We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue,” the spokesperson said via email.
Fortra has not publicly released an advisory it shared with customers nor details about the patch for the vulnerability.
Clarification: The teaser of this article has been updated to indicate that researchers don’t know if Clop is actively exploiting the vulnerability or listing victim companies on its leak site on a staggered basis.