{"id":21295,"date":"2023-02-20T16:10:31","date_gmt":"2023-02-21T00:10:31","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/02\/20\/news-15027\/"},"modified":"2023-02-20T16:10:31","modified_gmt":"2023-02-21T00:10:31","slug":"news-15027","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/02\/20\/news-15027\/","title":{"rendered":"GoAnywhere zero-day opened door to Clop ransomware"},"content":{"rendered":"<p>A semi-active ransomware group has claimed it is behind a string of attacks which have taken advantage of a <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/02\/update-now-goanywhere-mft-zero-day-patched\">zero-day vulnerability<\/a> in GoAywhere MFT.<\/p>\n<p>The Russian-linked Clop ransomware group says it was able to remotely attack private systems using exposed GoAnywhere MFT administration consoles accessible on the public internet. BleepingComputer&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/clop-ransomware-claims-it-breached-130-orgs-using-goanywhere-zero-day\/\" target=\"_blank\">reports<\/a>&nbsp;the group&nbsp;claimed they gained access and stole data from the GoAnywhere servers of at least 130 organizations.<\/p>\n<p>One of Clop&#8217;s victims was Community Health Systems (CHS), a Fortune 500 healthcare services provider in the US. It recently&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/1108109\/000119312523035789\/d422693d8k.htm\" target=\"_blank\">filed a Form 8-K<\/a>&nbsp;to the Securities and Exchange Commission (SEC), announcing the compromise of its system and disclosure of company data, including protected health information (PHI) and personal information (PI) of certain patients. CHS didn&#8217;t disclose the specific number of affected individuals.<\/p>\n<p>Since the release of the emergency patch, Fortra has revealed that attackers also breached some of its MFTaaS instances during the attack.<\/p>\n<p>The Cybersecurity &amp; Infrastructure Security Agency (CISA) recently added&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-0669\" target=\"_blank\">CVE-2023-0669<\/a>&nbsp;to its&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\">Known Exploited Vulnerabilities Catalog<\/a>, a list of software flaws that federal organizations must patch within two weeks. It&#8217;s helpful for&nbsp;non-federal&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/02\/how-the-cisa-catalog-can-help-our-organization\">organizations&nbsp;to refer to<\/a>&nbsp;as well,&nbsp;in order to help prioritize their patching.<\/p>\n<p>Thankfully, an&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/my.goanywhere.com\/webclient\/ViewSecurityAdvisories.xhtml\" target=\"_blank\">emergency patch<\/a>&nbsp;(7.1.2) has been available since last week.<\/p>\n<p>As well as the patch, GoAnywhere clients are also encouraged to:<\/p>\n<ul>\n<li>Rotate the master encryption key.<\/li>\n<li>Reset credentials.<\/li>\n<li>Review audit logs and delete suspicious admin or user accounts.<\/li>\n<li>Contact Fortra support by going to its&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/my.goanywhere.com\/\" target=\"_blank\">portal<\/a>, emailing technicians at&nbsp;<a href=\"mailto:goanywhere.support@helpsystems.com\">goanywhere.support@helpsystems.com<\/a>, or phoning them at 402-944-4242.<\/li>\n<\/ul>\n<h2>How to avoid ransomware<\/h2>\n<ul>\n<li><strong>Block common forms of entry<\/strong>. Create a plan for&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">patching vulnerabilities<\/a>&nbsp;in internet-facing systems quickly; disable or&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2022\/03\/blunting-rdp-brute-force-attacks-with-rate-limiting\">harden remote access<\/a>&nbsp;like RDP and VPNs; use&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">endpoint security software<\/a>&nbsp;that can detect exploits and malware used to deliver ransomware.<\/li>\n<li><strong>Detect intrusions<\/strong>. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">EDR<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/business\/managed-detection-and-response\">MDR<\/a>&nbsp;to detect unusual activity before an attack occurs.<\/li>\n<li><strong>Stop malicious encryption<\/strong>. Deploy Endpoint Detection and Response software like&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/business\/edr\">Malwarebytes EDR<\/a>&nbsp;that uses multiple different detection techniques to identify ransomware.<\/li>\n<li><strong>Create offsite, offline backups<\/strong>. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.<\/li>\n<li><strong>Write an incident response plan<\/strong>. The period after a ransomware attack can be chaotic. Make a plan that outlines how you&#8217;ll isolate an outbreak, communicate with stakeholders, and restore your systems.<\/li>\n<\/ul>\n<hr \/>\n<p><strong>We don&#8217;t just report on threats&mdash;we remove them<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by <a href=\"https:\/\/www.malwarebytes.com\/for-home\">downloading&nbsp;Malwarebytes today<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/02\/goanywhere-zero-day-opened-door-to-clop-ransomware\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/ransomware\" rel=\"category tag\">Ransomware<\/a><\/p>\n<p>Tags: Clop<\/p>\n<p>Tags:  Clop ransomware<\/p>\n<p>Tags:  ransomware<\/p>\n<p>Tags:  GoAnywhere<\/p>\n<p>Tags:  managed file transfer<\/p>\n<p>Tags:  MFT<\/p>\n<p>Tags:  Fortra<\/p>\n<p>Tags:  CISA<\/p>\n<p>Tags:  Known Exploited Vulnerabilities Catalog<\/p>\n<p>The Clop ransomware gang has claimed responsibility for a wave of attacks that exploited a zero-day in GoAnywhere MFT admin consoles.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/02\/goanywhere-zero-day-opened-door-to-clop-ransomware\" title=\"GoAnywhere zero-day opened door to Clop ransomware\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/02\/goanywhere-zero-day-opened-door-to-clop-ransomware\">GoAnywhere zero-day opened door to Clop ransomware<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[23583,25304,26468,28567,28588,25335,28565,13142,32,3765],"class_list":["post-21295","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cisa","tag-clop","tag-clop-ransomware","tag-fortra","tag-goanywhere","tag-known-exploited-vulnerabilities-catalog","tag-managed-file-transfer","tag-mft","tag-news","tag-ransomware"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21295","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21295"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21295\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21295"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21295"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}