Image: Sergi Kabrera (unsplash)
Servers exposed to the internet, using WS_FTP software that hasn’t been patched for a top-tier vulnerability, have become recent targets for ransomware campaigns.
Sophos X-Ops incident responders noted that the so-called Reichsadler Cybercrime Group made unsuccessful attempts to release ransomware payloads developed with a LockBit 3.0 builder, which had been stolen in September 2022.
Sophos X-Ops commented on how quickly the culprits leveraged the newly reported vulnerability in WS_FTP Server software. While Progress Software provided a solution for the said vulnerability in September 2023, it was observed that not every server had been updated. This resulted in attempts by adversaries to spread ransomware through these unprotected services.
In their efforts, the attackers utilized the open-source GodPotato tool, enabling them to try and escalate privileges to the ‘NT AUTHORITY\SYSTEM’ level across various Windows platforms, both client and server versions. However, their endeavors to place ransomware on systems were successfully disrupted, protecting the potential victim’s data from encryption.
Despite their unsuccessful attempts at data encryption, these adversaries demanded a payment of $500, with a deadline set by October 15, following the Moscow time zone. Such a modest sum suggests that these adversaries are either targeting WS_FTP servers in vast, automated campaigns or they are novices in the ransomware domain.
The specific flaw, labeled as CVE-2023-40044, originates from a .NET deserialization issue within the Ad Hoc Transfer Module. This allows attackers, without authentication, to execute commands on the host OS from a distance through HTTP requests.
On the 27th of September, Progress Software took action, launching security updates to address this pressing WS_FTP Server weakness and encouraged system administrators to update susceptible software versions.
Progress Software advised users to adopt version 8.8.2, highlighting that using a fully-installed, patched release is the only effective solution.
Shortly after the flaw’s remediation, Assetnote security researchers, responsible for identifying the WS_FTP issue, made public a proof-of-concept (PoC) exploit code. Assetnote’s investigations into WS_FTP revealed nearly 2.9k internet-connected hosts using WS_FTP. Most of these digital properties are owned by large businesses, government entities, and educational establishments.
Rapid7, a leading security company, pointed out that malefactors started exploiting CVE-2023-40044 on September 3, coinciding with the release date of the PoC exploit. Their insights suggest a probable widespread targeting of vulnerable WS_FTP servers.
Digital search engine Shodan identified almost 2,000 web-exposed devices operating WS_FTP Server software, aligning with Assetnote’s preliminary assessments.
For organizations unable to promptly update their servers, a feasible solution would be to deactivate the vulnerable WS_FTP Server Ad Hoc Transfer Module. Additionally, the Health Sector Cybersecurity Coordination Center (HC3), the security arm of the U.S. Health Department, has advised relevant entities to ensure their servers are updated without delay.
In a related development, Progress Software is navigating the repercussions of a series of extensive data breaches earlier this year. These incidents affected over 2,500 entities and approximately 64 million people, as evaluated by Emsisoft.