GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks

goanywhere-mft-zero-day-exploitation-linked-to-ransomware-attacks

The recent exploitation of a zero-day vulnerability in the GoAnywhere managed file transfer (MFT) software has been linked by a cybersecurity firm to a known cybercrime group that has likely attempted to exploit the flaw in a ransomware attack. 

On February 1, Fortra alerted GoAnywhere MFT users about a zero-day remote code injection exploit. The vendor immediately provided indicators of compromise (IoCs) and mitigations, but released a patch only a week later. 

Users, particularly those who are running an admin portal that is exposed to the internet, have been instructed to urgently install the patch. 

There appear to be more than 1,000 internet-exposed instances of GoAnywhere. However, according to the vendor, exploitation requires access to the application’s admin console, and at least some of the exposed instances are associated with the product’s web client interface, which is not impacted. 

No information was made available about the attacks exploiting the vulnerability, but managed endpoint detection and response firm Huntress reported this week that these attacks may have been conducted by a known cybercrime group. The company reached the conclusion after analyzing an attack detected in a customer environment on February 2.

Huntress has linked the attack to a malware family named Truebot, which was previously associated with a Russian-speaking threat actor named Silence. This group has also been linked to TA505, a threat group known for distributing the notorious Cl0p ransomware

“Based on observed actions and previous reporting, we can conclude with moderate confidence that the activity Huntress observed was intended to deploy ransomware, with potentially additional opportunistic exploitation of GoAnywhere MFT taking place for the same purpose,” Huntress said in a blog post.

Cybersecurity firm Rapid7 has analyzed the vulnerability and assigned it the CVE identifier CVE-2023-0669. While the product does not belong to Rapid7, the company is a CVE Numbering Authority and it can assign CVEs to flaws found in the products of other vendors. 

Related: Patch Tuesday: Microsoft Plugs Windows Hole Exploited in Ransomware Attacks

Related: Decade-Old Adobe ColdFusion Vulnerabilities Exploited by Ransomware Gang

Related: PetitPotam Vulnerability Exploited in Ransomware Attacks

The post GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks appeared first on SecurityWeek.

Documents, Code, Business Systems Accessed in Reddit Hack

documents,-code,-business-systems-accessed-in-reddit-hack

Reddit on Thursday informed users that its systems were hacked as a result of what the company described as a sophisticated and highly targeted phishing attack aimed at employees.

According to Reddit, the intrusion was detected on February 5. The hackers gained access to some internal documents, source code, internal dashboards and business systems. 

Up until this point in the investigation, Reddit has determined that the exposed information includes limited contact information for hundreds of contacts and current and former employees, as well as some advertiser information. 

“Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online,” Reddit said. 

There is no indication that user passwords or accounts have been compromised. The company also said there is no evidence of a breach of production systems, where the platform runs and where a majority of its data is stored.

The data breach was discovered after an employee informed Reddit’s security team that they had fallen for a phishing attack. The attackers targeted Reddit employees with “plausible-sounding prompts” that led them to a phishing website mimicking its intranet gateway. 

A Reddit representative noted in an AMA (Ask Me Anything) thread that the employee whose credentials were phished did have two-factor authentication (2FA) enabled on their account, as the company requires it for all employees. 

However, it seems that the phishing page targeted not only employee credentials, but also their second-factor tokens. 

Several major tech companies were targeted in sophisticated phishing attacks in the past months. One of them is Zendesk, which revealed recently that some employees handed over their credentials to threat actors in the fall of 2022. 

At around the same time, companies such as Twilio, Cloudflare and at least 130 others were targeted in a phishing campaign dubbed Oktapus, which appeared to be the work of financially-motivated threat actors.

Related: Reddit Names Allison Miller as CISO, VP of Trust

Related: Accounts of Reddit Moderators Hijacked in Pro-Trump Hack

Related: Reddit Locks Down Accounts Due to ‘Security Concern’

The post Documents, Code, Business Systems Accessed in Reddit Hack appeared first on SecurityWeek.