Published on 25 Mar 2023 | Updated on 25 Mar 2023
There is an ongoing ransomware campaign actively exploiting a vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere Managed File Transfer (MFT), a system that allows companies to securely transfer huge sets of data and other large files.
Successful exploitation of the pre-authentication command injection vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT instances whose administrative console is exposed to the Internet.
Possible indicators of compromise (IOCs) associated with the ongoing ransomware campaign are shown in the table below.
Type | Indicator | Description |
---|---|---|
IP | 5[.]188[.]206[.]76 | Malware Host |
IP | 92[.]118[.]36[.]213 | Command and Control |
Domain | qweastradoc[.]com | Command and Control |
File Name | gamft.dll | Malware DLL |
File Name | larabqFa.exe | Malware Executable |
File Name | Pxaz.dll | Malware DLL |
Users and administrators with Internet-exposed GoAnywhere MFT administration console are advised to download the security patch immediately.
Network administrators are also advised to scan their networks for the presence of IOCs and configure their firewall rules to block connections to domains associated with the campaign. Network administrators are recommended to limit open ports to necessary systems and consider changing the default ports (i.e. 8000 and 8001) of GoAnywhere Administrator that have been observed in vulnerable GoAnywhere MFT instances.
Users and administrators may refer to our advisory on how to protect their systems and data from ransomware threats at:
https://www.csa.gov.sg/docs/default-source/publications/singcert/pdfs/singcert-advisory-protect-your-systems-and-data-from-ransomware-attacks.pdf?sfvrsn=7bd59440_1
If your organisation is a victim of a ransomware incident, please refer to our ransomware response checklist at:
https://www.csa.gov.sg/docs/default-source/publications/singcert/pdfs/ransomware-response-checklist.pdf?sfvrsn=6c852e82_1
More information is available here:
https://therecord.media/clop-ransomware-adds-dozens-to-goanywhere-victim-list
https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits