Ransomware Attacks Now Target Unpatched WS_FTP Servers

Cyber Security Threat Summary:
Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022” (Bleeping Computer, 2023).

According to the researchers, the ransomware actors didn’t wait long to attempt exploitation of the WS_FTP Server software. While a fix for the vulnerability was released in September, many servers remain unpatched. Sophos X-Ops says they have observed several attempts to deploy ransomware through these unpatched services.

Tracked as CVE-2023-40044, the flaw is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module, enabling unauthenticated attackers to execute commands on the underlying OS via HTTP requests remotely.

On September 27, Progress Software released security updates to address the critical WS_FTP Server vulnerability, urging admins to upgrade vulnerable instances. Researchers from Assetnote released a public proof-of-concept (PoC) soon after the update was released, meaning threat actors had ample time to target vulnerable instances of WS_FTP that were slow of have yet to patch. Cybersecurity company Rapid7 revealed that attackers began exploiting CVE-2023-40044 on September 3, the day the PoC exploit was released. They also noted the execution chain looked the same across observed instances, which could be the result of mass exploitation.

Shodan scans list around 2,000 Internet exposed devices running WS_FTP Server software.

Security Officer Comments:
Notably, the attackers are attempting to escalate their privileges using an open source tool called GodPotato, which allows privilege escalation on Windows 8 through Windows 11 and Windows Server 12 through Windows Server 2022. While the attempt to deploy the ransomware was unsuccessful in this case, it still highlights the dangers of leaving publicly exposed systems unpatched. We expect exploitation attempts against CVE-2023-40044 to continue as organizations work to patch vulnerable systems.

This is the latest critical vulnerability in a piece of Progress software. Recently, the Cl0p ransomware group carried out attacks leveraging a vulnerability in MoveIT, a popular data migration software. The impacts of the MoveIT ransomware attacks are enormous, breaking all previous records from a monetary perspective, with some researchers estimating costs exceeding $10 billion across all impacted organizations. Over 2,500 organizations were impacted and more than 64 million individuals.

Suggested Correction(s):
Customers must upgrade to WS_FTP Server 8.7.4, 8.8.2, or later to patch the vulnerabilities. For more information, please refer to the WS_FTP Security Advisory.

Organizations that cannot immediately patch their servers can block incoming attacks by disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module.