CyberWire Daily - 8 GoAnywhere MFT breaches and counting. [Research Saturday]
Episode Date: May 27, 2023This week, our guests are Emily Austin and Himaja Motheram from Censys and their sharing their research - "Months after first GoAnywhere MFT zero-day attacks, Censys still sees about 180 public admin ...panels." In early February 2023, Censys researchers discovered a zero-day RCE vulnerability in Fortra’s “GoAnywhere MFT” (Managed File Transfer) software. After finding this the Clop ransomware gang claimed that they exploited this vulnerability to breach the data of 130 organizations and Censys found other ransomware groups were jumping on the bandwagon. They said " A single vulnerable instance has the potential to serve as a gateway to a data breach that could potentially impact millions of individuals." The research can be found here: Months after first GoAnywhere MFT zero-day attacks, Censys still sees ~180 public admin panels Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
I am a person who monitors Twitter quite a bit,
and I started to see noise from Brian Krebs on Mastodon talking about this new zero-day vulnerability in a
file transfer application called Go Anywhere MFT. And I'd never heard of that before.
Our guests this week are Emily Austin and Himaja Motheram from security company Census.
They're sharing their research. Months after first Goanywhere MFT zero-day attacks,
census still sees approximately 180 public admin panels.
It is advertised as this kind of enterprise file transfer application.
That's Himaja Motheram.
And when we did a little bit of digging into how the service is documented, it seems that it's really intended for sensitive data.
It's compliant with a lot of different data protection guidelines and standards.
And the types of organizations that we see impacted by breaches are, you know,
organizations that we see impacted by breaches are big enterprise organizations like healthcare institutions, financial institutions, governments even, so a pretty hefty product.
So let's dig into the timeline here. Where did this begin? And again, how did you all decide to head down this path of research?
I think this really started gaining traction in early February when the zero day was disclosed.
The actual security advisory was hidden behind a customer portal login. And so most of the
talk about it came from Twitter. But what really made the story start to jump in discussion was around mid-February, the ransomware there are over 20 organizations that have publicly come forward as being, having like been affected by this exploit.
Can we talk about the vulnerability itself? What is the specific issue here?
So it appears to be a remote code execution vulnerability in the admin panel interface
of the Go Anywhere MFT application. So web client interfaces are not affected,
but there's an RCE exploit in the licensing server
of admin panel interfaces.
And admin panels are, in this case,
I would consider them critical infrastructure.
And they offer an interface into this very sensitive data and so really have no business being exposed to the public internet.
But we see a lot of them are exposed to the public internet, be it through misconfigurations or maybe some of these were intentionally exposed for some reason or another.
exposed for some reason or another, but a lot of instances of these admin panels are accessible to this RCE exploit because they're public facing and would be honestly pretty trivial for even
an amateur threat actor to discover. And so what has Fortress' response been here as this was brought to their attention?
Yeah, so their response has been a little bit criticized because, again, like I said,
they hid their security advisory behind a login wall at the beginning. A little bit after that, they did release a patch in version 7.1.2
and offered some other mitigation suggestions for customers. But over
the course of the past three months, they have misled some customers into believing their data
was safe when it wasn't. And only recently, maybe in late April, they published an investigation
two months after the disclosure. But the response that we're seeing from the affected organizations is that
they didn't quite feel like they were being well-informed about how their instances were
affected by this vulnerability. And your own research here looks into how many organizations
are still exposed here, right? Yes. Can you lay that out for us? What did you find? Yeah. So at the
beginning, you know, early February, we saw a lot of admin panels online. We saw around like 300
and almost 330 of these admin panels that were publicly exposed and showed indications of running versions that were
vulnerable versions earlier than 7.1.2. Right after that security advisory and some of the
discussion on Twitter started peaking on February 2nd, we saw that number drop dramatically from
around 3.3 to maybe like 2.50. And since then, we've kind of seen this very slow, steady decrease in that number of
exposed hosts that look like they're running vulnerable versions. And as of two days ago on
May 15th, we see 50. And so that's encouraging that it's dropped so much from when the original zero day was disclosed.
But 50 admin panels online,
those could be the portal to a wealth of sensitive data that could infect millions of people.
So we're still concerned about how this patching rate
is starting to kind of plateau over the past couple weeks.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools
expand your attack surface
with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Emily, I'm interested in your insights here as well.
What is your take on the information you've gathered here?
Yeah, so one thing I'd like to point out, you know, we're talking about this vulnerability.
That's Emily Austin. In context, you know, several other researchers have published really excellent reviews and kind of deep dives into the remote code execution exploit itself. And so where I
think we really have a lot to offer, and as Himaja has kind of just walked through, is being able to
look at this vulnerability and others that have
some kind of, you know, public internet facing artifact available, you know, a login page,
a ransom note on a public facing service. We can see those things and we can kind of zoom out a
little bit and take a more macro look at the state of the vulnerability as it might be across the internet? You know, what are the
potential ramifications of this vulnerability if it were exploited to the maximum potential,
right? You know, how many devices do we see that could potentially fall victim to it?
And so that's been really interesting to track here and see over time, you know, how we've been
able to see this go from, you know, this dramatic decrease initially, and then just kind
of tapering off slowly. And we're kind of still seeing these still hanging around. So it's been
interesting to see that. And it also kind of ties back to this whole idea, you know, of security
hygiene. I know that's something that we talk about a lot. And it's something that, you know,
it's not exciting necessarily, but asset management,
understanding that the devices that are within your organization's purview, like that's really
important.
And understanding, you know, I think the Go Anywhere, their initial advisory said, you
know, most of these instances should be behind a VPN or a firewall of some kind.
But there's also this implication that some of them aren't and they're aware of that.
And, you know, we see evidence
of that in our data.
And so I think being aware
of those things as an administrator
of these tools is really important.
But yeah, so I think what's really cool
about what we've been able to do here
is looking at this vulnerability
kind of on a global scale
and saying, okay, well,
what are the potential
ramifications of this?
You know, how many organizations do we see that potentially could still be affected by it?
And when you look at that, what do you see? What conclusions have you all come to?
Yeah, I mean, like I said, I think really the big thing is we're seeing that organizations
just aren't necessarily prioritizing asset management, patch management,
and vulnerability management. You know, we talk a ton about new exploits and things that get released, but really, and this was kind of a perfect storm, right? So you have this zero day
in a device who are in a service rather, whose admin pages oftentimes are exposed to the internet
unprotected. So it's kind of this like perfect mix of you do have a zero day
and you have something improperly exposed to the internet
that just makes it really trivial, as Himejah said,
to exploit and cause havoc, steal data and do what you will.
You know, Himejah, I'm curious.
Certainly not all patches are created equal
and everybody's situation is different of the infrastructure that they're running.
Is there anything particularly burdensome in this update that you see that would cause people to lag behind or delay making the updates?
That's a great question. And I don't know the particular intricacies of the patch that might relate to that. But my hypothesis is honestly that we're seeing this patch rate plateau mostly because a lot of these assets are probably exposed unintentionally, is my guess. And that some of them might even be old or legacy
infrastructure that has just been kind of abandoned or maybe their service owners are
not quite clear in the organization. And they're kind of these endpoints that are just left without
any tending. Because applying the patch is, like Emily said, a part of basic security hygiene. And it's a pretty simple
process when you know what to apply it to. So I'm thinking that these assets are kind of those
unknown unknowns in an organization potentially. And that's why these basic security hygiene
practices aren't being fulfilled. Emily, based on the information that you all have gathered here,
what are your recommendations? I think you could probably guess they're not going to be exciting.
They're going to be beyond like go anywhere specifically, right? Like get it off of the
internet if it's on the internet, if it's exposed to the internet, the admin panel specifically,
patch it to version 7.1.2. That's go anywhere specifically, but just
more broadly speaking, you know, again, understanding what assets are within your organization's control,
like the things that you do own, getting a handle on that. It's not an easy process,
but it's really, really important. So because you can't, you can't manage vulnerabilities or
patches if you don't know all of the things that you need to patch or manage, right?
So I think those are really critical pieces of a security program.
They're critical pieces of, you know, strong security posture.
And so just being aware of those things that are those like kind of back office applications, things that, you know, are, you know, essential to business function as a tool like this is allowing you to transfer data
between organizations or within an organization. Yeah. So I think figuring out if you own any of
these, these devices, understanding where they are in your network and understanding that something
needs to be done about them, they do need to be kept off of the public internet. Right. I think
that's a huge piece here. And so all of those things come together to kind of help you create a stronger security posture for your organization.
to Himaja Mathuram and Emily Austin from Census for joining us. The research is titled,
Months After First Go-Anywhere MFT Zero-Day Attacks, Census Still Sees Approximately 180 Public Admin Panels. We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more Thank you. of cybersecurity teams and technologies. This episode was produced by Liz Ervin
and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie.
And I'm Dave Bittner.
Thanks for listening.