A zero-day vulnerability affecting Fortra’s GoAnywhere MFT managed file-transfer solution is currently being exploited, according to cybersecurity giant Rapid7.
The web-based file transfer tool is used by dozens of major companies and schools, including the University of Cincinnati, Think Mutual Bank, Nemours, University of Cincinnati and many local government offices.
Fortra did not respond to requests for comment about when a patch will be available or whether it will publish a public advisory about the issue.
File sharing platforms like GoAnywhere MFT are prime targets for nation-states and criminal hackers due to the data they might contain and their wide deployment across organizations.
Vulnerabilities affecting another file transfer provider, Accellion, were used repeatedly to target financial institutions, government agencies, universities and corporations.
Popular file-sharing network appliance FileZen has also been targeted by hackers in recent years.
No public advisory
On Wednesday, Fortra published a private advisory within its customer portal explaining that the bug is a remote code injection flaw that requires administrative console access for successful exploitation.
The bug was publicly highlighted by cybersecurity expert Brian Krebs, who published the advisory on social media platform Mastodon and wrote that the company said it “has temporarily implemented a service outage in response.”
The company warned that if an administrative console is exposed to the public internet, “it is highly recommended partnering with our customer support team to put in place appropriate access controls to limit trusted sources.”
Security expert Kevin Beaumont shared a search on security platform Shodan that showed there were 1,008 instances of tools exposed to the internet. By Friday afternoon, that number fell to 1,004, with 580 in the United States and more than 60 in Germany.
The advisory shared by Krebs provides a range of information to help those affected mitigate their exposure.
Rapid7 confirmed that there is no mention of a patch.
“The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system,” Rapid7’s Caitlin Condon said.
“The logical deduction is that Fortra is likely seeing follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain persistence on vulnerable target systems. Note that, while this is not mentioned explicitly in the pasted Fortra advisory text, it is also possible that threat actors may be able to obtain administrative access by targeting reused, weak, or default credentials.”
Rapid7 urged GoAnywhere MFT customers to log into the customer portal and access direct communications from Fortra.
The list of victims in the Accellion case included Morgan Stanley, Stanford Medicine, The Reserve Bank of New Zealand, the University of Maryland Baltimore, Washington State Auditor, the University of California, Shell, the University of Colorado, the Washington State Auditor Office, Singapore telco Singtel, security firm Qualys, airplane maker Bombardier, and US retail store chain Kroger.