30 June 2023

Paul Dant, senior director, cybersecurity strategy & research at Illumio

The Washington Post has labelled it 'this year's second mass ransomware attack,' and new victims continue to come forward each day. From a hacker’s perspective, a few aspects of this attack stood out:

• The severity of a pre-authentication remote code execution (RCE) capability is very high.
• The basis of the attack is a command injection vulnerability in the GoAnywhere licensing code, exposed in a web application.
• A well-known, easily recognised web application vulnerability is an attack vector.

A RCE vulnerability is particularly dangerous because it allows attackers to execute arbitrary code remotely, likely with administrator-level privileges. Any vulnerable GoAnywhere instance with specific ‘admin ports’ exposed to the attacker - not necessarily to the internet - is a potential target. When it comes to ransomware risk, this is worst-case: undetected, attackers will begin to evaluate your environment for extortion opportunities, including exfiltration of any potentially valuable data sitting in the GoAnywhere instance. During this attack phase, the activity can look pretty ‘normal,’ specifically executed to evade common detection and prevention controls.

So far, the GoAnywhere ransomware incident has affected several major UK organisations, including Virgin Red and the Government Pension Fund. Ransomware has been a major threat to the UK’s national economy and digital infrastructure. Last year, 73% of UK organisations were affected by such attacks. Therefore, it is critical for businesses to re-think their cybersecurity approach and implement robust measures to contain the growing threats of ransomware.

The threat of web application attacks: lessons learned and key takeaways

Many exploits involving RCE are buffer overflow exploits that often generate software crashes, service restarts, system reboots, and other unusual behaviours that aid in detecting the attack. Exploits targeting vulnerable web applications, like the command injection attack in GoAnywhere, may not provide any of those indicators yet still lead to RCE.

A cross-site request forgery (CSRF) attack vector lets attackers target vulnerable GoAnywhere instances from outside the network using the accidental insider. Remember when you were a child and tried to get your parents to sign off on a late slip or a not-so-great school report without them noticing? Well, that's essentially what a CSRF attack does: it exploits the trust a web application has in a user's browser by forging requests that appear to be legitimate. These malicious requests are indistinguishable from actual user-initiated requests, making identifying and blocking them difficult. In this case, an attacker can trick a user into unknowingly sending a malicious payload to the GoAnywhere server, which has no way of knowing the request is forged and didn’t originate from the user.

To address the CSRF vulnerability, Fortra introduced a web application cookie that stored a validation code, commonly known as an anti-CSRF token, to validate requests to the application. Researchers have already proven a bypass of the request validation, although the command injection vulnerability is addressed in a software patch. However, as evidenced by the Clop ransomware attack, the damage has already been done. So, how can the industry improve, and what are the key takeaways and lessons learned from this incident? There are several of note:

1. Despite decades of awareness, web application vulnerabilities like CSRF are still out there, and can provide an initial network access point for attackers.
2. Detection and prevention controls should be reviewed and updated regularly to identify new and evolving threats.
3. Companies should prioritise timely patching and updates to fix vulnerabilities as soon as they are discovered.
4. Lateral movement throughout the environment allows attackers to find and attack your most critical assets. A single system compromise can become a cyber disaster.

It's important to note that system compromises and network infiltrations can happen to UK businesses just as easily as they can to any other organisation. Therefore, it's vital to ensure that robust measures are in place to protect against these types of attacks.

Proactive steps to reducing the risks of ransomware

To mitigate the risks of ransomware, businesses must learn from the GoAnywhere incident. Although some customers mistakenly exposed their GoAnywhere software to the internet, the attack can still be highly effective for threat actors who infiltrate the system from within. This has resulted in large numbers of victims, and many may still be unaware of the breach. Moreover, this incident is just one of several mass ransomware attacks that have occurred this year, highlighting the fact that any organisation, regardless of size or location, is vulnerable.

Fortunately, there are steps that organisations can take to prepare for and minimise the impact of such attacks. One popular risk reduction tool is Zero Trust Segmentation (ZTS), also known as microsegmentation, which can create an enforcement boundary that blocks access to targeted ports except for a few systems that require access. This approach can significantly reduce the blast surface of a cyberattack, with ZTS capable of reducing the blast radius by up to 66%, according to a Forrester Total Economic Impact study commissioned by Illumio.

It's important for businesses of all sizes to understand the risks of cyberattacks and take proactive steps to protect themselves. Implementing effective risk reduction measures such as Zero Trust Segmentation, and regularly reviewing and updating detection and prevention controls, can help prevent and mitigate the damage caused by data breaches and ransomware attacks.

To put it briefly, the Clop GoAnywhere attacks are a significant and complicated issue. However, they are not the only attacks of their kind and ransomware attackers are becoming increasingly sophisticated. Therefore, it is the responsibility of business and security leaders to protect their organisations and customer data from these cunning adversaries. This can be achieved by investing in tools and technologies that prioritise visibility, containment, and control. It is important to keep in mind that the threat landscape is constantly evolving, and businesses must stay vigilant to protect themselves and their customers.