Executive Summary
CloudSEK’s contextual AI digital risk platform XVigil discovered a number of companies being targeted by a ransomware group named Cl0p recently. It has also been established by some researchers that the Cl0p ransomware group has been exploiting the CVE-2023-0669 in GoAnywhere MFT. The exploit for this CVE was available a day before the patch (7.1.2) was released on February 7, 2023. Many vulnerable admin panels of GoAnywhere were found to be indexed on Shodan running on port 8000.
Cl0p ransomware is a high-profile ransomware strain that has been active since 2019. The group is also popularly known for its "double extortion" tactic, where stolen data is also threatened to be released unless a ransom is paid.
The vulnerability is caused due of a deserialization bug exploited by sending a post request to the endpoint at ‘/goanywhere/lic/accept’. A Metasploit module is also available to exploit it.
GoAnywhere MFT is a tool that helps people securely share files between different systems, employees, customers, and partners.
Detailed Analysis
The GoAnywhere web client interface (generally accessible from the internet) is not vulnerable to this exploit, only the administrative interface is. The threat actors can also search for web client interfaces on the internet and then try to find admin panels on the same IP.
Shodan search results indicate that thousands of web panels for GoAnywhere are exposed on the web. Of these thousands, around 94 of them are running on port 8000 or port 8001 where the admin panel (separate from the web panel) is located. In order to obtain remote code execution, only a post request needs to be made to the vulnerable endpoint.
USA contains a majority of these vulnerable GoAnywhere MFT instances and hence most of the recent victims of the Cl0p ransomware group are from that region.
About Cl0p Ransomware
Cl0p ransomware is a high-profile ransomware strain that has been active since 2019. The ransomware is a highly sophisticated and dangerous strain that has been popular to historically target Microsoft Exchange servers by exploiting ProxyShell vulnerabilities. In the past, the group has also targeted the healthcare sector primarily and goes after data servers that have sensitive information.
The group is also popularly known for its "double extortion" tactic, where stolen data is also threatened to be released unless a ransom is paid.
Common Attack Vectors
While ransomware is typically distributed through multiple techniques, we see an increase in the number of victims via server software vulnerabilities. Since there are multiple affiliates of the group, here are some different techniques used by the group.
- Phishing emails
- Exploited vulnerabilities
- Possibility of spreading through exfiltrated credentials from information stealers.
- Zero days being exploited actively in the wild.
Vulnerability Analysis
The vulnerability is an insecure deserialization bug that allows Remote Code Execution (RCE). The vulnerable code is located in the administration console of GoAnywhere MFT and relies on JGroups clustering message exchange library. The vulnerable code can be found in a class called LicenseResponseServlet which extends HttpServlet.
The vulnerability is caused by the doPost method which takes an unvalidated user input parameter and then passes it to a method call at [2], which leads to the LicenseAPI.getResponse method. From there, the vulnerability goes into com.linoma.license.gen2.LicenseController.getResponse method, which is where the code is actually vulnerable to deserialization.
A Metasploit module is also available for exploiting this vulnerability. A POC tool has also been released on GitHub which takes the object containing malicious code stored in a bin file and encrypts it. The encrypted object is sent via a post request to the vulnerable endpoint at ‘/goanywhere/lic/accept’ after which the library tries to deserialize it and Remote Code Execution is achieved.
Mitigation
- Update your system and stop exposing port 8000 where the GoAnywhere MFT admin panel is situated on the internet.
- Login to your account and follow the steps mentioned in the security advisory at GoAnywhere.
- Review admin user accounts for suspicious activity, including unrecognized usernames, accounts created by 'system' that aren't recognized, suspicious timing of account creation, and non-existent or disabled super users creating accounts.
- Contact GoAnywhere MFT support via the portal, email, or phone for assistance.
References
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- Brian Krebs’s post on Infosec Exchange
- GoAnywhere MFT - A Forgotten Bug | Frycos Security Diary