Patch for Fortra GoAnywhere Critical Vulnerability and Unauthorized Remote Access Using the ScreenConnect Tool

Fortra has announced a critical vulnerability identified in its GoAnywhere Managed File Transfer (MFT) solution and also issued a patch. Vulnerability CVE-2024-0204 is an authentication bypass bug caused by a path traversal weakness. An unauthenticated user can exploit the vulnerability and make a new admin user through the admin portal then remotely manage the customer’s settings and access their system. The vulnerability has an assigned 9.8 CVSS severity score out of 10.

Fortra mentioned in its security alert that the vulnerability impacts all GoAnywhere MFT versions before 7.4.1. All file transfer solution users must make sure they upgrade to version 7.4.1 immediately. When an upgrade is not possible immediately, Fortra has recommended temporary fixes.

For users of non-container deployments, the InitialAccountSetup.xhtml file must be deleted from the install directory and reboot the services. For users of container deployments, the InitialAccountSetup.xhtml file must be deleted and swapped out with an empty file, then do a reboot.

Hackers like to target managed file transfer solutions. In 2023, the Clop ransomware gang exploited vulnerability CVE-2023-0669, which was identified in Fortra’s GoAnywhere MFT. There were 129 company clients attacked, which included several healthcare companies. Vulnerability exploitation is probable and according to Searchlight Cyber threat intelligence engineer, John Honey, at least one Telegram channel is circulating one proof-of-concept exploit for the vulnerability.

After updating to version 7.4.1 or applying the temporary fix, an audit must be done to verify if new admin users were created in the admin users group in the GoAnywhere administrator portal. The cybersecurity company Horizon3 likewise suggests verifying the records for the database -\GoAnywhere\userdata\database\goanywhere\log*.log. – since they consist of the transactional record of the database and will include entries when new admin users are included.

HC3 Alerts of Risk of Unauthorized Remote Access Using the ScreenConnect Tool

A threat actor abused the ScreenConnect remote access tool to acquire access to the systems of companies in the healthcare and public health (HPH) industry. According to a Health Sector Cybersecurity Coordination Center (HC3) sector advisory, from October 28 to November 8, 2023, an unidentified threat actor exploited a locally hosted ScreenConnect instance to obtain remote access to the networks of victims.

As soon as access was acquired, the threat actor set up additional remote access tools which include SecureConnect as well as AnyDesk instances to enable persistent access to the systems of victims. The cybersecurity firm, Huntress researchers, discovered two attacks on particular healthcare companies. The activity of the threat actor indicates network reconnaissance had been done to be ready in the event of an increase in attacks.

On November 14, the ScreenConnect vendor stated the attacker acquired access to an on-site instance of ScreenConnect that had not been updated since 2019. The ScreenConnect vendor stated the companies impacted did not carry out the suggested best practices. In the cyberattack, the hacker took advantage of the local ScreenConnect instances employed by Transaction Data Systems (now Outcomes), a pharmacy supply chain and provider of management systems solutions. The company creates Rx30 and ComputerRx software programs that are employed by pharmacies located in 50 states. The Huntress researchers were unable to figure out the effect of the cyberattack, yet say it may be massive.

HC3 has given Indicators of Compromise (IoCs) linked to the attack and instructs all the pharmacy supply chain and management systems solution provider clients to take action and analyze their systems for the IoCs immediately. In case any of the IoCs are discovered they must be taken seriously and conduct a quick and complete investigation and detailed breach response.

As per HC3, the exposed endpoints utilized a Windows Server 2019 system unmanaged case. Companies must take determined steps to protect their structure. HC3 suggests applying enhanced endpoint monitoring options, and cybersecurity frameworks, and using threat hunting to minimize prospective threat actors’ attacks.