The mass exploitation of the GoAnywhere vulnerability in this recent wave of Cl0p ransomware attacks is unprecedented. We know many companies use GoAnywhere, but the sheer number of organizations that Cl0p has reportedly compromised in a relatively short amount of time should raise concerns.
Over the past few weeks, Cl0p has added nearly 200 organizations to their data leaks extortion website. The list includes the likes of Saks Fifth Avenue, the City of Toronto, Brightline, Virgin Group, Procter & Gamble and the UK Pension Protection Fund, just to name a few.
Some of the organizations have already confirmed they were victimized, but many on the list have not yet reported an attack. Those organizations may be the next to find they have lost sensitive data to exfiltration and/or access to systems once a ransomware payload is delivered.
Attackers are keen to exploit new vulnerabilities (and old ones, too), but they often only become aware of the exploitable flaw after a patch is issued by the vendor. They count on organizations to not push the patch out in a timely manner and leverage that knowledge as an opportunity to breach the network.
Is Cl0p Leveraging Automation?
Looking at that list, one thing is pretty apparent - Cl0p is almost certainly leveraging automated scans to identify organizations exposed to the GoAnywhere vulnerability who have not patched yet.
Attackers using automated scans to look for vulnerabilities to exploit is nothing new. However, ransomware gangs exploiting a single unpatched vulnerability with such precision to compromise upwards of 200 victims in a short period of time is certainly rare. Their ability to automate target selection should be of concern.
Like the organizations they target, ransomware gangs are turning to automation for greater return on investment (ROI) in their operations. For a gang like Cl0p that is financially motivated with the goal of compromising as many victims as efficiently as possible, automation allows them to be more opportunistic and scale their operations.
However, GoAnywhere is not the only buggy tool out there that can be exploited en masse like this. It's just a strong example of what we can expect as these RaaS operators continue to mature and improve their automation capabilities.
Could IBM Aspera Faspex be next?
Given what we’ve already seen in the Cl0p/GoAnywhere campaign, users of a similar tool from IBM called Aspera Faspex should be seriously concerned, as it presents a similar open infection pathway for many organizations.
The vulnerability is rated 9.8 (critical) and impacts IBM Aspera Faspex 4.4.2 and earlier versions. While the vulnerability was first identified back in January and a patch has been available, just last month, multiple security vendors spotted the IceFire ransomware gang deploying a novel Linux version of their ransomware to exploit the vulnerability.
Takeaway from the GoAnywhere attacks
A recent scan conducted by researchers using Shodan quickly identified 138 vulnerable instances. This is likely what attackers like Cl0p and IceFire are doing, simply using automated scans that look for unpatched instances, then exploiting them to infiltrate and move laterally through the network of their targets.
Cl0p was able to hit a significant number of targets in a short period of time because they likely automated scans that search the internet for networks still vulnerable to the bug. Likely, several threat actors are similarly looking for exploitable instances of IBM’s Aspera Faspex.
This is why organizations can’t wait for an attacker to hit them with a ransomware payload before their ransomware defense strategy kicks in. These attacks typically involve weeks or even months of activity by attackers as they work to infiltrate as much of the target network and exfiltrate as much data as possible before encrypting systems.
These are multi-stage attacks, and that means there are multiple opportunities to detect and stop them -- or at least reduce their impact -- but this requires both a robust prevention capability as well as an agile resilience strategy to ensure minimal disruption and a swift return to normal operations.
Delivery of the ransomware payload is the tail end of an attack. There are ample opportunities to disrupt the attack earlier: at initial ingress, when attackers move laterally, command and control is established, data exfiltration begins, and so on. Patching in a timely manner is critical and should be a high priority for every organization, especially for any software with a lot of network access.
Furthermore, organizations should ensure endpoint protection solutions are deployed, networks are segments, data backups are isolated and protected, and access and identity controls are sound. They should also follow the principle of least privilege (Zero Trust), provide employee awareness training, and implement regular organizational procedures and resilience testing.
While an organization cannot prevent an attacker from scanning their network for vulnerabilities, they can assess what an attacker might find in such a scan and proactively harden their network.
Lastly, organization’s should leverage CISA’s Known Exploited Vulnerabilities Catalog as a resource to be aware of the vulnerabilities actively being exploited by attackers. Automated attacks will persist, but there is much organizations can do to reduce or eliminate known vulnerabilities before threat actors can take advantage.