On 6 February Florian Hauser, a researcher with Code White released a Proof-of-Concept (PoC) exploit for the GoAnywhere MFT zero-day that is being actively exploited. While Fortra, the company that develops and maintains GoAnywhere, has not made a public statement, privately (requires a free account) they’ve released a security bulletin with mitigation steps and have released a security patch (7.1.2) to address the flaw. The exploit is an unauthenticated remote code execution that takes advantage of hard-coded keys, potentially granting an attacker access to the internal network. Shodan shows nearly 1000 devices exposed to the public internet in a way that makes the exploit possible.
Analyst Notes
Any users of GoAnywhere MFT should assume compromise, and remove public-facing internet access to the tool and rotate the master encryption key and any passwords used for access. The security bulletin released by the developer includes a stacktrace that administrators can look for in the logs to determine if the exploit was uses against the system. Additionally, administrators should deploy the security patch as soon as change management allows. Companies should endeavor to always bring systems that must be accessed from outside the company behind a VPN to mitigate the impact of a zero-day such as this one, but when this is not possible, administrators can implement access controls to limit access to specific addresses.
https://www.bleepingcomputer.com/news/security/exploit-released-for-actively-exploited-goanywhere-mft-zero-day/
