Clop claims to have accessed data from more than 130 companies through a zero-day vulnerability in GoAnywhere MFT

The cybercriminal group behind the Clop ransomware has exploite. a zero-day vulnerability in GoAnywhere MFT to gain access to the confidential data of more than 130 organisations.

The software’s developer, Fortra, confirmed in early February that its file transfer manager had been compromised by a zero-day vulnerability that was being exploited, and released an update to enable customers to protect their servers, as reported by Bleeping Computer.

The breach, identified as CVE-2023-0669, allows threat actors to remotely execute code on instances of this file transfer software, as well as deploy ransomware payloads to encrypt their systems.

Clop claims to have accesse data from more than 130 companies through a zero-day vulnerability in GoAnywhere MFT

Despite the latter possibility, the cybercriminals only stole documents stored on the compromised GoAnywhere MFT servers, the group confirmed to the media.

Specifically, Clop claims to have stolen data from more than 130 organisations over the course of ten days once they breached the software’s servers through a zero-day vulnerability.

Zero Day’ vulnerabilities are software flaws for which there are no fixes and security patches because the software developers were unaware of their existence.

Despite disclosing the attack method and its consequences, the cybercriminals have not provided additional details about the possible extortion of victims or the nature or activity of the affected companies.

In the absence of more information about this attack, cyberthreat and cybersecurity platform Huntress says the attacks via GoAnywhere MFT are related to the RA5050 threat group, known for previously deploying the Clop ransomware.

Bleeping Computer also recalls that it has conducted a vulnerability status scan, which has identified more than a thousand instances of GoAnywhere exposed online.

The use of Clop to steal data via GoAnywhere MFT follows a similar technique to that used in December 2020, when cyber-scammers exploited a zero vulnerability in the Accellion File Transfer Applicance (FTA) network device to steal information from a hundred companies.

At the time, threat actors demanded ransom payments of around $10 million (around €9.3 million) from the companies to stop them from publishing their data publicly. Among those affected at the time were Shell, Kroger, Qualys and the University of Colorado.