Ransomware-Wielding Attackers Target Unfixed WS_FTP Servers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Researcher Published Proof-of-Concept Exploit Code 1 Day After Vendor Issued Patch

Ransom note from the “Reichsadler Cybercrime Group” targeting unpatched WS_FTP Server software (Image: Sophos)

After the scans, the hacks: Ransomware-wielding hackers are targeting unpatched versions of FTP software widely used by large enterprises, including government and educational organizations.

See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations

Security firm Sophos reports seeing multiple attempts to exploit WS_FTP Server software, built by Progress Software. Its alert follows security firm Bitdefender last week reporting that scanning activity of unknown origin is focused on finding vulnerable WS_FTP Server software.

“Ransomware actors didn’t wait long to abuse the recently reported vulnerability in WS_FTP Server software,” Sophos said. “Even though Progress Software released a fix for this vulnerability in September, not all of the servers have been patched.” Sophos in a post to Mastodon said it’s seen attackers hunting for WS_FTP software installations that have yet to be patched.

Attempts to identify and exploit vulnerable instances of WS_FTP Server follow Burlington, Massachusetts-based Progress Software on Sept. 27 updating the software to patch multiple flaws, of which two are rated critical, three as high and three of medium severity. The vendor said the only way to fix the flaws is to use its installer to obtain a completely new version 8.7.5 or 8.8.3 of the software.

One of the two critical flaws is a .NET deserialization vulnerability in the company’s Ad Hoc Transfer Module for person-to-person file-sharing. Tracked as CVE-2023-40044, the vulnerability can be exploited to remotely execute code and take over the underlying system.

In an analysis of the vulnerability, security firm Rapid7 reported that it’s easy to exploit. “We can exploit this vulnerability with a single HTTPS POST request to any URI in the Ad Hoc Transfer module,” it said.

Sophos said the attack attempts it saw – against a customer – didn’t succeed, owing in part to attackers triggering a behavioral detection rule in its endpoint security software, which “stopped the ransomware download in the customer environment when a suspicious script made an outbound connection to a high-risk” IP address.

The attack chain began with an IIS component, leading to PowerShell scripts, then to the “GodPotato” open-source privilege-escalation tool, followed by a ransomware executable meant to be the coup de grâce, the security researchers reported.

For the crypto-locking malware part of the attack, the researchers found attackers wielding what appears to be ransomware compiled using the LockBit 3.0 – aka LockBit Black – source code leaked by an upset developer last September after a dispute with LockBit over money (see: LockBit Ransomware Group’s Big Liability: ‘Ego-Driven CEO’).

Sophos said attackers call themselves the “Reichsadler Cybercrime Group,” noting that the name is derived “from Nazi imagery,” and appear to be seeking $500 worth of Bitcoin from targets.

Proof-of-Concept Exploit Code

The Ad Hoc Transfer Module vulnerability was found and reported to Progress Software by Australian cybersecurity firm Assetnote, which said it would wait to publish a proof-of-concept exploit until 30 days post-patch, to give users time to update their software.

On Sept. 28, one day after Progress Software updated WS_FTP Server software, a third-party security researcher who uses the handle “MCKSys Argentina” released proof-of-concept exploit code.

Progress Software decried that move. “We are disappointed in how quickly third parties released a proof of concept, reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27,” a spokesperson said. “This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch. We are not aware of any evidence that these vulnerabilities were being exploited prior to that release.”

Despite the software vendor’s criticism, once a company releases a patch, attackers reverse-engineer the fix and start exploiting the vulnerability within days, if not hours.

In addition, one or more attackers may have already been exploiting the vulnerability before it got patched. That’s what happened with Progress Software’s MOVEit secure file-transfer software, for which attackers discovered a zero-day vulnerability. The Russian-language Clop ransomware group exploited the flaw in a massive campaign it launched in late May.Progress Software is facing a consolidated class action lawsuit as well as questions from privacy and other regulators at home and abroad as a result (see: US Securities and Exchange Commission Probes MOVEit Hack).

Once WS_FTP Server exploit details were in the public domain, Assetnote published its own research into the vulnerability and proof-of-concept exploit code, as have other researchers. The Metasploit open source penetration testing framework has also been updated with a module for exploiting the vulnerability.

Internet of Things search engine Shodan on Friday returned hits for nearly 2,000 servers running WS_FTP that also have their web server exposed, which Assetnote said is required for the software to be exploited. How many of those servers might have been patched isn’t clear. Assetnote said most “belong to large enterprises, governments and education.”

The CVE-2023-40044 vulnerability, which is in a module called MyFileUpload.UploadModule, appears to be 15 years old, said Martin Zugec, a technical solutions director at Bitdefender. “During our analysis, we identified this as a third-party file upload library sourced from, with a copyright notice reading ‘Copyright © Darren Johnstone 2008,'” he said in a blog post. “This means the module was developed by a single developer and last updated in 2008. It’s possible that other software utilizing this library may also be susceptible to the same vulnerability.”


Click Here For The Original Source.

National Cyber Security