zerofox logo
Advisories

ZeroFox Daily Intelligence Brief - April 20, 2023

|by Alpha Team

banner image

ZeroFox Daily Intelligence Brief - April 20, 2023

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Please find today’s daily roundup with recommendations that aim to give you and your clients an advantage over the adversary.

Key Findings

  • Investigation Reveals Findings on GoAnywhere Zero-Day Attacks That Hit over 130 Organizations
  • Cybersecurity Agencies of the “Five Eyes” Recommend Best Practices for Smart Cities
  • Security Scaled Up After U.S. Intelligence Data Leak

Investigation Reveals Findings on GoAnywhere Zero-Day Attacks That Hit over 130 Organizations

The Fortra security team has disclosed details of its investigation on suspicious activity detected in the GoAnywhere MFT solution earlier this year. Initial reports suggested that from January 28–30, 2023, an unauthorized party used a zero-day remote code execution vulnerability (later assigned the identifier CVE-2023-0669) to access customers' systems, create unauthorized accounts, and download files in the MFTaaS customer environments. As the investigation proceeded, Fortra discovered that the exploit had been leveraged against on-premise customers running a specific configuration of the GoAnywhere MFT as early as January 18, 2023, indicating that the bug was under active but limited exploitation for at least two weeks before Fortra discovered the security breach.

In several editions of last month’s Daily Intelligence Briefs, ZeroFox Intelligence had reported that the Clop ransomware group exploited this bug in attacks, noting that the group’s leak site names the Australian state of Tasmania, the city of Toronto (Canada), and the Indian state of Goa, as well as prominent corporate victims such as Hitachi Energy, Virgin Red, and Scholastic.

Recommendations:

  • To guard against similar attacks, organizations should rotate their Master Encryption Key, and admins should review audit logs and delete any illegitimate admin or web user accounts.
  • If the exposed GoAnywhere MFT instances have been used to host credentials of users of other systems in the environment, these credentials should be revoked to prevent subsequent breaches or lateral network movement.
  • Users that have not yet updated to GoAnywhere MFT version 7.1.2 should do so as soon as possible.

Cybersecurity Agencies of the “Five Eyes” Recommend Best Practices for Smart Cities

The cybersecurity agencies of the Five Eyes countries (the United States, the United Kingdom, Australia, Canada, and New Zealand) have detailed best practices advisories that can be incorporated to make smart cities cyber-safe. The advisory highlights the risks faced by smart cities, which include expanded and interconnected attack surfaces, supply chain risk associated with information and communication technology (ICT), and increasing automation of infrastructure operations. The agencies have detailed recommendations to help communities strengthen their cyber posture, secure planning and design, proactively manage supply chain risk, and achieve operational resilience.

Recommendations:

  • Organizations responsible for implementing smart-city technology should adopt these best practices to mitigate the risks associated with newer cyber technology and incorporate the recommendations provided by the Five Eyes agencies to make cyber-safe cities.
  • Follow ZeroFox Intelligence to remain updated on global cybersecurity news.

Fitness App Leaks User Location Despite Opting for Privacy Zones

Researchers have expressed concern over a loophole found in “endpoint privacy zones” in Fitness apps such as Strava, which are used to track physical exercise. Despite the user enabling privacy zones, the app can leak location data, and any attacker can use the high precision API metadata in the app to pinpoint the user’s home location. Strava is participating in ongoing discussions with the researchers for potential mitigations.

Recommendations:

  • Fitness app users should be aware that they may be revealing their location data by using these apps and carefully weigh the risks versus the benefits of doing so.
  • Developers should consider incorporating the recommendations made by the researchers to mitigate exploitation of app location services.
  • Location-based countermeasures such as generalization or truncation can be effective at thwarting attacks but can also reduce usability. Therefore, providers of such app services must carefully balance functionality with guaranteeing user privacy.

Tags: DIBtlp:green