therecord.media Open in urlscan Pro
2606:4700::6812:1c78  Public Scan

Form analysis
4 forms found in the DOM

GET https://therecord.media/

<form role="search" method="get" class="search-form" action="https://therecord.media/">
  <input type="text" placeholder="Search" value="" name="s">
  <input type="submit" value="go">
</form>

<form class="search-form">
  <a href="#">
<i class="fas fa-search search-icon"></i>
<i class="fas fa-times close-icon"></i>
</a>
</form>

GET https://therecord.media/

<form role="search" method="get" class="search-form" action="https://therecord.media/">
  <input type="text" placeholder="Search" value="" name="s">
  <input type="submit" value="go">
</form>

POST

<form action="" method="post" class="newsletterForm">
  <input type="email" name="email" placeholder="your e-mail address">
  <input type="hidden" name="newSubscription" value="1">
  <input type="submit" value="go">
</form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept
Manage consent
We use cookies to optimize our website and our service. Cookie Policy

Functional

Marketing
Accept allDismissPreferences
 * Leadership
 * Cybercrime
 * Nation-state
 * Government
 * People
 * Technology

 * About
 * Contact
 * Click Here Podcast

 * 




SUBSCRIBE TO THE RECORD



Image: Arnold Francisca
Jonathan Greig February 3, 2023


ZERO DAY AFFECTING FORTRA’S GOANYWHERE FILE TRANSFER TOOL IS ACTIVELY BEING
EXPLOITED

Briefs
Cybercrime
Technology
 * 
 * 
 * 
 * 
 * 

Jonathan Greig

February 3, 2023

 * Briefs
 * Cybercrime
 * Technology

 * 
 * 
 * 
 * 
 * 


ZERO DAY AFFECTING FORTRA’S GOANYWHERE FILE TRANSFER TOOL IS ACTIVELY BEING
EXPLOITED

A zero-day vulnerability affecting Fortra’s GoAnywhere MFT managed file-transfer
solution is currently being exploited, according to cybersecurity giant Rapid7. 

The web-based file transfer tool is used by dozens of major companies and
schools, including the University of Cincinnati, Think Mutual Bank, Nemours,
University of Cincinnati and many local government offices.

Fortra did not respond to requests for comment about when a patch will be
available or whether it will publish a public advisory about the issue.

File sharing platforms like GoAnywhere MFT are prime targets for nation-states
and criminal hackers due to the data they might contain and their wide
deployment across organizations. 

Vulnerabilities affecting another file transfer provider, Accellion, were used
repeatedly to target financial institutions, government agencies, universities
and corporations.

Popular file-sharing network appliance FileZen has also been targeted by hackers
in recent years. 


NO PUBLIC ADVISORY

On Wednesday, Fortra published a private advisory within its customer portal
explaining that the bug is a remote code injection flaw that requires
administrative console access for successful exploitation.

The bug was publicly highlighted by cybersecurity expert Brian Krebs, who
published the advisory on social media platform Mastodon and wrote that the
company said it “has temporarily implemented a service outage in response.”

The company warned that if an administrative console is exposed to the public
internet, “it is highly recommended partnering with our customer support team to
put in place appropriate access controls to limit trusted sources.”



Security expert Kevin Beaumont shared a search on security platform Shodan that
showed there were 1,008 instances of tools exposed to the internet. By Friday
afternoon, that number fell to 1,004, with 580 in the United States and more
than 60 in Germany. 

The advisory shared by Krebs provides a range of information to help those
affected mitigate their exposure. 

Rapid7 confirmed that there is no mention of a patch.

“The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all
administrative users and monitor for unrecognized usernames, especially those
created by system,” Rapid7’s Caitlin Condon said. 

“The logical deduction is that Fortra is likely seeing follow-on attacker
behavior that includes the creation of new administrative or other users to take
over or maintain persistence on vulnerable target systems. Note that, while this
is not mentioned explicitly in the pasted Fortra advisory text, it is also
possible that threat actors may be able to obtain administrative access by
targeting reused, weak, or default credentials.”

Rapid7 urged GoAnywhere MFT customers to log into the customer portal and access
direct communications from Fortra.

The list of victims in the Accellion case included Morgan Stanley, Stanford
Medicine, The Reserve Bank of New Zealand, the University of Maryland Baltimore,
Washington State Auditor, the University of California, Shell, the University of
Colorado, the Washington State Auditor Office, Singapore telco Singtel, security
firm Qualys, airplane maker Bombardier, and US retail store chain Kroger.

 * 
 * 
 * 
 * 
 * 

Tags
 * Accellion
 * bug
 * exploit
 * file transfer
 * Fortra
 * GoAnywhere MFT
 * Rapid7
 * vulnerability
 * zero-day

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has
worked across the globe as a journalist since 2014. Before moving back to New
York City, he worked for news outlets in South Africa, Jordan and Cambodia. He
previously covered cybersecurity at ZDNet and TechRepublic.

Previous article Next article
CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list
Customizable new DDoS service already appears to have fans among pro-Russia
hacking groups


BRIEFS

 * House approves cybersecurity research bill focused on energy infrastructure
   February 7, 2023
 * Biden adds Mandia and other cybersecurity execs to advisory committee
   February 7, 2023
 * Shares in British engineering company dive as it announces cost of
   cyberattack February 7, 2023
 * All classes canceled at Irish university as it announces ‘significant IT
   breach’ February 7, 2023
 * West Virginia students returning to class after days-long outage following
   cyberattack February 6, 2023
 * British steel industry supplier Vesuvius ‘currently managing cyber incident’
   February 6, 2023
 * CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list February 3,
   2023
 * New York attorney general fines developer of stalking apps February 3, 2023


RANSOMWARE TRACKER: THE LATEST FIGURES [JANUARY 2023]



Ransomware tracker: the latest figures [January 2023]






2022 ADVERSARY INFRASTRUCTURE REPORT



2022 Adversary Infrastructure Report












SEASON OF GIVING, SEASON OF TAKING: HEIGHTENED FRAUD DURING HOLIDAY SHOPPING



Season of Giving, Season of Taking: Heightened Fraud During Holiday Shopping












H1 2022: MALWARE AND VULNERABILITY TRENDS REPORT



H1 2022: Malware and Vulnerability Trends Report








RUSSIAN INFORMATION OPERATIONS AIM TO DIVIDE THE WESTERN COALITION ON UKRAINE



Insikt Group: Russian Information Operations








VULNERABILITY SPOTLIGHT: DIRTY PIPE



Insikt Group: Dirty Pipe








GLOSSARY

Threat Intelligence

Threat Intelligence Feeds

Threat Intelligence Platform

Payment Fraud Intelligence

 * 
 * 
 * 
 * 
 * 

 * Privacy Policy

© Copyright 2023 | The Record from Recorded Future News