CVE-2023-0669: Clop Ransomware Group Claims to breach 130 Organizations using Zero-day Vulnerability in GoAnywhere

A zero-day vulnerability in Fortra's GoAnywhere MFT secure file transfer tool is being exploited in the wild by the Clop ransomware group. In an interview with Bleeping Computer, the group has claimed that they have stolen data from over 130 organizations by exploiting CVE-2023-0669. Fortra released an advisory on February 1 which is only available to logged in account holders. Brian Krebs has posted a copy of the security advisory to his Mastodon account which contains more information from Fortra. 

According to the advisory, CVE-2022-0669 is a remote code injection vulnerability in GoAnywhere's license response Servlet. Successful exploitation requires access to the application's administrative console. According to Fortra, access to this console does not typically face the public-internet, and recommends taking action to apply access controls. Fortra released a patch for the vulnerability on February 7. 

We strongly advise customers using GoAnywhere to patch to the latest version (7.1.2), even if their administrative console does not face the public-internet as the vulnerability can still be exploited from their internal networks.

Product coverage for this vulnerability is currently being evaluated, and will be released shortly. Coverage can be identified using this link which uses a search filter to ensure that all matching plugin coverage will appear as it is released.