Mass Ransomware Attack

A vulnerability in a popular data transfer tool has resulted in a mass ransomware attack:

TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come forward.

However, while the number of victims of the mass-hack is widening, the known impact is murky at best.

Since the attack in late January or early February—the exact date is not known—Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files.

Tags: , , ,

Posted on March 23, 2023 at 7:05 AM6 Comments

Comments

Lawrence March 23, 2023 12:17 PM

“GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files”

Apparently not so “securely”. 😉

RealFakeNews March 23, 2023 7:21 PM

Wait…so self-hosted instances that should be operating behind firewalls/authentication systems, were just “compromised” en-mass?

Self-hosted instances “phoning home”/backdoored?

The question I’d ask is: was it written for this purpose?

HoKnowz March 24, 2023 9:28 AM

@RealFakeNews

The question I’d ask is: was it written for this purpose?

Or an inside job at that company, anyway. From the looks of it.

Andrew March 24, 2023 2:09 PM

This application is routinely located in the DMZ. A zero day flaw reportedly was exploited to enable unauthorized access. Like with user VPN concentrators and web apps and APIs in general, software on the public internet that act as a gateway to data or the network will be targeted. My understanding is that both client deployed and the vendor hosted services were (are, if still not patched) vulnerable.

Ideally access to these services from the public internet will be as narrow as possible, with access limited to only whitelisted known business partners that you have contractual partnership to share data with allowed, as a minimum control. But like with user VPN the business may not know or be able to control the sources. Or equally likely they don’t justify/value or appreciate the importance here of least privilege.

No “back door” necessary when there is an exploitable flaw and access from the entire internet.

Minding biz March 24, 2023 8:13 PM

It’s the same company that owns Cobalt Strike. Formerly Help Systems. They changed their name after Cobalt Strike repeatedly involved in ransomware attacks.

They call themselves a cybersecurity company.

They purchased 3 dozen companies in the last few years. Likely they have customers everywhere as a result. But most interesting is they recently purchased another red team tool company.

https://www.itjungle.com/2022/10/05/helpsystems-goes-on-the-security-offensive-again/

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.