GoAnywhere MFT Zero-day Vulnerability: What You Need to Know

On February 1, researchers at Fortra warned customers of a zero-day remote code injection flaw in its GoAnywhere MFT software. The GoAnywhere MFT Zero-day vulnerability exposes administrator consoles that directly connect to the internet rather than routing through virtual private networks (VPN) or through IP-based cloud services like AWS and Azure. 

What Is GoAnywhere MFT?

GoAnywhere MFT is a secure file transfer and data encryption solution that helps organizations to automate and streamline their file transfer processes. It enables users to securely transfer files, automate workflows, and encrypt data at rest or in transit.

GoAnywhere MFT supports various protocols such as FTP, SFTP, HTTPS, and AS2, and provides features such as file triggers, job scheduling, and detailed audit logs. It can be deployed on-premises, in the cloud, or as a hybrid solution. It helps organizations to comply with data privacy regulations such as GDPR, HIPAA, and PCI DSS.

GoAnywhere MFT Zero-day Overview

The zero-day remote code execution (RCE) vulnerability (CVE-2023-0669) was first made public by security reporter Brian Krebs, who posted a copy on Mastodon. The GoAnywhere MFT Zero-day vulnerability allows an attacker to create an unauthenticated backdoor in the system, enabling an attacker to upload, delete, modify, or extract files from the system. As of the writing of this blog post, a CVSS (Common Vulnerability Scoring System) score had not been assigned to the vulnerability. 

What Is a Remote Code Injection Flaw?

A Remote Code Injection flaw is a type of security vulnerability that allows an attacker to inject malicious code into an application from a remote source. It is an attractive attack vector because of its low barrier of entry and potential for large-scale damage. The malicious code can then be executed to perform malicious activities such as data theft, privilege escalation, or system compromise. Remote code injection flaws stem from coding errors or inadequate input validation when writing applications. Unsecure coding practices allow malicious actors to continuously find new ways to exploit applications. 

Attackers who leverage remote code injection flaws employ a variety of techniques, such as fuzzing and code review, to identify and exploit coding errors and inadequate input validation. Fuzzing involves sending large amounts of random data to inputs to pinpoint potential vulnerabilities. Code review involves analyzing an application’s source code for potential flaws. Attackers can also use automated tools and scanners to identify weaknesses.

Security Advisory From Fortra in Response to GoAnywhere MFT Zero-day

Administrative consoles and management interfaces should ideally never be exposed to the internet. In a response to Krebs’ post, security professional Kevin Beaumont performed a Shodan scan to determine how many GoAnywhere MFT instances were exposed and found on 1,008 servers—primarily in the U.S. However, at the same time, BleepingComputer saw only 151 exposed 8000 and 8001 ports. 

The advisory from Fortra is titled “A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT.” The developers at Fortra wrote, “The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).” 

Until a patch is available, Fortra recommends that customer administrators of GoAnywhere MFT apply the following mitigation: 

1. On the file system where GoAnywhere MFT is installed, edit the file: “[install_dire]/adminroot/WEB_INF/web.xml.”
2. Find and remove (delete or comment out) the following servlet and servlet-mapping configuration.
3. Restart the GoAnywhere MFT application.

Mitigating Advanced Persistent Threats

As threat actors are increasingly using advanced persistent threats to accelerate their attacks such as the GoAnywhere MFT Zero-day, obfuscate their tracks, and gain greater access to the systems into which they hack, GoAnywhere MFT customers need to review all administrative user accounts for anything suspicious. These activities could include 1) unrecognized usernames, 2) “Created By” details show “system,” 3) the timing of account creation is suspicious, and 4) the Admin Audit Log shows a non-existent or disabled super user creating an account. By creating additional admin accounts, the attackers can extend their persistence on the end customers within the GoAnywhere MFT supply chain. 

4 Recommendations for Customers Impacted by the GoAnywhere MFT Zero-day

As GoAnywhere MFT customers assess how to proceed following the GoAnywhere MFT Zero-day, I have four recommendations:

1. Promptly Apply Patches: As soon as patches become available for the GoAnywhere MFT Zero-day vulnerability, GoAnywhere MFT customers should implement them promptly.
2. Follow Fortra’s Instructions: In case of a zero-day vulnerability, it is crucial for customers to follow the vendor’s instructions. See the above discussion for the actions you need to execute and do so as soon as possible.
3. Establish Clear Communication Channels: Designate all relevant parties within your organization for communication with the GoAnywhere MFT team and ensure that they are aware of their names, contact information, and responsibilities.
4. Adhere to Best Practices: Follow both the software vendor’s best practices and your own organization’s security best practices. In the case of the GoAnywhere MFT Zero-day, Fortra advised customers to access the administrative console through VPN or IP-enabled cloud service, and to review all administrative users and monitor for any unrecognized usernames, particularly those created by “system.”

Incident Response Takeaways and Security Hardening

Along with other leaders in the company, I was at the forefront of the response to a zero-day vulnerability in Accellion’s legacy File Transfer Appliance (FTA) about two years ago. We worked closely with Mandiant during the incident response and found that it is crucial to act swiftly and to have a software vendor that implements effective mitigation measures. It is also important for GoAnywhere MFT customers affected by the GoAnywhere MFT Zero-day to remember that due to the persistent nature of many cyberattacks, they need to adhere to both their own security best practices and those recommended by Fortra to prevent additional vulnerabilities.

The upside is that despite the FTA breach, we were able to retain over 90% of our customers by transitioning to the Kiteworks Private Content Network (PCN) offering. This showcases how careful and diligent handling of an incident can make a difference in the outcome for a company. Today, Kiteworks PCN is widely regarded as one of the most secure platforms available with a virtual hardened appliance and a defense-in-depth security approach, with the company experiencing its strongest year of growth in FY22.

• Brief Kiteworks MFT (Managed File Transfer)
• Brief Kiteworks Hardened Virtual Appliance Provides Multiple Security Layers to Dramatically Reduce Vulnerability Exploit and Impact Severity
• Blog Post Beating Log4Shell: How the Kiteworks Hardened Appliance Lived Up to Its Name
• Brief Top 5 Advantages of Kiteworks MFT Capabilities Over Axway MFT
• Video Kiteworks Snackable Bytes: Secure MFT