Exploit code has been released for an actively exploited zero-day vulnerability affecting Internet-exposed GoAnywhere MFT administrator consoles.
GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files.
Its developer is Fortra (formerly known as HelpSystems), the outfit behind the widely abused Cobalt Strike threat emulation tool.
On Monday, security researcher Florian Hauser of IT security consulting firm Code White released technical details and proof-of-concept exploit code that performs unauthenticated remote code execution on vulnerable GoAnywhere MFT servers.
“I could provide a working PoC (compare hash and time of my tweet) to my teammates within hours on the same day to protect our clients first,” Hauser said.
Fortra says that “the attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”
However, a Shodan scan shows that almost 1,000 GoAnywhere instances are exposed on the Internet, although just over 140 are on ports 8000 and 8001 (the ones used by the vulnerable admin console).
The company is yet to publicly acknowledge this remote pre-authentication RCE security flaw exploited in attacks (to read the advisory, you need to create a free account first) and hasn’t released security updates to address the vulnerability, thus leaving all exposed installations vulnerable to attacks.
However, the private advisory provides indicators of compromise, including a specific stacktrace that shows up in the logs on compromised systems.
“If this stacktrace is in the logs, it is very likely this system has been the target of attack,” Fortra says.
It also contains mitigation advice that includes implementing access controls to allow access to the GoAnywhere MFT administrative interface only from trusted sources or disabling the licensing service.
To disable the licensing server, admins have to comment out or delete the servlet and servlet-mapping configuration for the License Response Servlet in the web.xml file to disable the vulnerable endpoint. A restart is required to apply the new configuration.
“Due to the fact that data in your environment could have been accessed or exported, you should determine whether you have stored credentials for other systems in the environment and make sure those credentials have been revoked,” Fortra added in an update issued on Saturday.
“This includes passwords and keys used to access any external systems with which GoAnywhere is integrated.
“Ensure that all credentials have been revoked from those external systems and review relevant access logs related to those systems. This also includes passwords and keys used to encrypt files within the system.”
Fortra also recommends taking the following measures after mitigation in environments with suspicion or evidence of an attack:
- Rotate your Master Encryption Key.
- Reset credentials – keys and/or passwords – for all external trading partners/systems.
- Review audit logs and delete any suspicious admin and/or web user accounts
- Contact support via the portal https://my.goanywhere.com/, email email@example.com, or phone 402-944-4242 for further assistance.