A security researcher has just dumped a proof-of-Concept code for the GoAnywhere MFT that can lead anyone to access a vulnerable GoAnywhere system without any authentication.
Since a web scan revealed over 1,000 GoAnywhere MFT exposed online, researchers warn system admins to apply the available mitigation measures as soon as possible to avoid hacks. The GoAnywhere OEM is yet to acknowledge and release a patch for this.
Exploit the GoAnywhere MFT
GoAnywhere MFT is a web-based managed file transfer tool for organizations to share files securely with their partners and track the audit logs of who has accessed the shared files. As it’s an important tool for severe firms in their regular business, any vulnerability spotted in this should be immediately addressed.
But, the maker Fortra is yet to acknowledge a bug in GoAnywhere MFT that may let anyone unauthenticated access the system remotely and exploit it. Fortra is also the developer of a widely exploited tool named Cobalt Strike in several hacking incidents.
On Monday, a security researcher named Florian Hauser from Code White released a proof-of-concept code for exploiting GoAnywhere MFTs, remotely! Though the OEMs say the initial vector needs access to the administrative console of the application, there are plenty of them exposed to the public without many restrictions.
Well done @frycos, such a sweet pre-auth RCE! https://t.co/JRE9DcXOGb pic.twitter.com/cJlvEmL2Km
— ϻг_ϻε (@[email protected]) (@steventseeley) February 4, 2023
A Shodan scan shows that around 1,000 GoAnywhere instances are exposed on the Internet, with over 140 having 8000 and 8001 ports opened to anyone! These are considered to be the access points for the vulnerable admin console.
The maker (Fortra) is yet to acknowledge this issue, so there’s no patch update available as of now to fix it. But, it shared a private advisory (login needed to view) that detailed indicators of compromise – where it asks users to look for a specific stack trace showing up in the logs on compromised systems.
If you find anything as such, consider your system has been breached and contact the GoAnywhere team immediately. If not, it’s highly recommended to follow the company’s mitigation advice of limiting access to only those who really need it or disabling the licensing service.
In the latter case, system admins must “comment out or delete the servlet and servlet-mapping configuration for the License Response Servlet in the web.xml file” to disable the vulnerable endpoint. Once done, restart your device to apply these changes.
And once you have taken mitigation measures, Fortra also recommends doing the below things to stay extra secure and avoid other related hacks arising out of this incident;
- Rotate your Master Encryption Key.
- Reset credentials – keys and/or passwords – for all external trading partners/systems.
- Review audit logs and delete any suspicious admin and/or web user accounts.
- Contacting the GoAnywhere support via their portal for further assistance.