GoAnywhere MFT Zero-Day Vulnerability Used to Breach Servers

The developers of the GoAnywhere MFT or (managed file transfer) solution warned clients about a zero-day remote code execution vulnerability on exposed administrator consoles. GoAnywhere, a secure web filter transfer solution, enables companies to securely transfer encrypted files to partners while maintaining detailed audit logs of who accessed the files. The security advisory by GoAnywhere was first made public by a reporter who shared a copy on Mastodon. According to a client who received the message, it affected the on-premises and SaaS deployments of GoAnywhere. However, it couldn’t be independently confirmed at the time. The security advisory explained that the exploit requires access to the administrative console, which shouldn’t ordinarily be exposed to the internet. The GoAnywhere security advisory warned that a Zero-Day Remote Code Injection exploit was discovered in GoAnywhere MFT.

The GoAnywhere MFT Zero-Day Vulnerability

The exploit’s attack vector involves access to the application’s administrative console, which is often only accessible from within private companies’ networks, through VPNs, or by allow-listed IP addresses (when running in cloud environments, including Azure or AWS). Because there are currently no available patches for the zero-day vulnerability, administrators are advised to take the following mitigation:

• Edit the file “[install_dir]/adminroot/WEB_INF/web.xml n file systems where GoAnywhere MFT is installed.
• Locate and remove (delete or comment out) the servlet and servlet-mapping configurations.
• Relaunch the GoAnywhere MFT application.

There are no other methods to mitigate cyberattacks because a cybersecurity company has not released a security update. The cybersecurity company’s SaaS solution has been temporarily shut down until the issue has been resolved. Administrators need to conduct audits of their installations, which include:

• Check whether the systems created any new, unknown admin accounts and if the Admin Audit Log shows that non-existent or disabled super users created the accounts.
• Look for activities in the Administrations’ logs (Reporting -> Audit Logs -> Administration). Look for anything created by root users.

A security professional conducted a Shodan scan to identify how many GoAnywhere instances were exposed on the internet and discovered 1,008 servers, mostly in the United States. However, numerous admin consoles used ports 8000 and 8001, of which only 151 were exposed. Even though the attack surface appeared to be limited, large companies used the products to transfer sensitive files with their partners. Local governments, healthcare companies, banks, energy companies, financial services companies, museums, and computer manufacturers used the GoAnywhere file transfer solution. A single breach exploiting GoAnywhere MFT’s zero-day flaw can expose sensitive data that can be used for extortion. A similar scenario was witnessed in the Clop ransomware group’s 2021 Accellion FTA (File Transfer Appliance) breaches, which damaged numerous high-profile global companies.

With new and current vulnerabilities being exposed by threat operators to use in their extortion schemes, it’s important for high-profile companies to always remain alert to the latest threat landscape and regularly update security patches on their software. At SpearTip, our engineers examine companies’ security postures to improve the weak points within their networks. Additionally, our team engages with companies’ people, processes, and technology to truly measure the maturity of the technical environments. For all the vulnerabilities our engineers uncover, they will provide companies with a technical roadmap ensuring they have the awareness and support to optimize their overall cybersecurity posture. SpearTip discovers blind spots within companies that can lead to significant compromises and goes beyond simple compliance frameworks and examines daily cyber function within companies.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.