The GoAnywhere file transfer product and unsupported versions of Cobalt Strike have been manipulated into malware delivery channels, and the supplier, Fortra, says it is actively working to counteract this issue.
GoAnywhere was compromised by attackers exploiting a zero-day vulnerability and used to transmit malware designed to locate and exfiltrate sensitive information from the IT systems of Fortra clients. Victims include Rubrik, Hitachi, Rio Tinto, Hatch Bank, Community Health Systems, and the University of Toledo Medical Center.
Cobalt Strike is a threat emulation tool provided by cyber security supplier Fortra. It serves as a decoy malware agent known as Beacon, which can reside in an IT environment for an extended period. Acquired in 2020, the tool was designed to aid customers in detecting real malware that has infiltrated their systems. Regrettably, unsupported versions of Cobalt Strike have been co-opted or cracked to distribute actual malware.
A Microsoft report explains: “Used by legitimate security professionals to simulate cyber attacks in defense testing, the tool has also become a favorite instrument of criminals who steal and manipulate older versions to launch ransomware attacks around the world. In the last two years, hackers have used cracked copies of the tool, Cobalt Strike, to try and infect roughly 1.5 million devices.”
We asked Matthew Schoenfeld, president of Fortra, to further comment on these instances of product technology misuse.
Blocks & Files: How is Fortra combating the GoAnywhere DLP malware delivery episode?
Matthew Schoenfeld: For background, here’s our official statement on what happened regarding the GoAnywhere zero-day vulnerability: On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS (Managed File Transfer-as-a-Service) solution. We quickly implemented a temporary service outage and commenced an investigation.
We discovered between January 28, 2023, and January 30, 2023, an unauthorized party used a previously unknown, zero-day remote code execution (RCE) vulnerability to access certain GoAnywhere customers’ systems. This vulnerability was assigned CVE-2023-0669.
Our initial investigation revealed the unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments. For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hosted MFTaaS environments. We prioritized communication with each of these customers to share as much relevant information as available to their specific instance of the GoAnywhere platform.
During the investigation, we discovered the unauthorized party used CVE-2023-0669 to install up to two additional tools – “Netcat” and “Errors.jsp” – in some MFTaaS customer environments between January 28, 2023, and January 31, 2023. The threat actor was not able to install both tools in every customer environment, and neither tool was consistently installed in every environment.
When we identified the tools used in the attack, we communicated directly with each customer if either of these tools were discovered in their environment. We reprovisioned a clean and secure MFTaaS environment and worked with each MFTaaS customer to implement mitigation measures. While we continue to monitor our hosted environment, there is no evidence of unauthorized access to customer environments that have been mitigated and reprovisioned by our team.
Blocks & Files: Isn’t this recent Cobalt Strike Microsoft effort a ‘closing a stable door after the horses have bolted’ initiative – because cracked copies of Cobalt Strike were also used to deliver malware?
Matthew Schoenfeld: Regarding our collaboration with Microsoft and Health-ISAC, Fortra had taken many steps to strengthen the overall security of Cobalt Strike prior to this action. These include:
- Strict vetting processes for Cobalt Strike customers – they are required to comply with usage restrictions and export controls;
- Issuing hundreds of DMCA (Digital Millennium Copyright Act) notices to web properties serving up unauthorized versions of the Cobalt Strike software;
- As criminals adapted their techniques, we adapted the security controls in Cobalt Strike to eliminate the methods used to crack older versions;
- Cooperation with many external partners, including the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF).
These steps continue and we remain relentless in our efforts to improve the security of the ecosystem.
Blocks & Files: With two of its products having been penetrated by malware, what is Fortra’s strategy to prevent future attacks?
Matthew Schoenfeld: For background, Cobalt Strike has not been penetrated by malware. The recent action is helping disrupt cracked, legacy copies of Cobalt Strike which have been used to distribute malware. Our ongoing strategy to prevent further misuse of Cobalt Strike is detailed in our response above.
Additionally, Microsoft recently published this update which provides further information on the collaboration and its results.
Comment
For a cyber security company, the misuse of its ethically developed threat emulation testing software to distribute real malware is undoubtedly a grave concern. Just like any other software, there can be trial versions, and there might be customers whose support periods for the licensed versions have expired, making them susceptible to malware manipulation of the software. The situation with Cobalt Strike underscores the need for stringent distribution and management of such software. It is essential that every copy is known, continuously monitored, authenticated at each runtime, and removed when its usage ceases or support expires.
Such software should be treated with the same caution as biohazardous material – a precaution that was, in hindsight, not adequately implemented, leading to the ongoing cleanup operation by Fortra and Microsoft.
Microsoft’s involvement stems from its discovery of public-facing Cobalt Strike command-and-control servers on its Azure public cloud. Microsoft convinced Fortra to join forces in combating the threat, and together they have identified and analyzed around 50,000 unique instances of cracked Cobalt Strike, underlining the severity of the problem.
Both Microsoft and Fortra are targeting organizations and sites that are using unauthorized versions of Cobalt Strike. As per Microsoft’s report, they “are now armed with a court order authorizing them to seize and block infrastructure linked to cracked versions of the software.”
“The order also allows Microsoft to disrupt infrastructure associated with abuse of its software code, which criminals have used to disable antivirus systems in some of the attacks. Since the order was executed in April, the number of infected IP addresses has since plummeted.”
The GoAnywhere breach relied on an unknown vulnerability in its code. Unknown vulnerabilities will always pose a risk, but enhanced monitoring and validation of file transfer destinations, as well as more robust file control software, could have possibly prevented this data theft.
Ransomware detection, prevention, and recovery systems, in and of themselves, are often defenseless against data theft malware. The same applies to many data loss prevention software options, as illustrated by Code42 CEO Joe Payne. When customers utilize third-party file transfer services, they become vulnerable to malware delivery and data theft if these services are compromised by malware, as has been the case.
Bootnote
Fortra’s full GoAnywhere breach statement can be viewed here.
