Ransomware-Wielding Attackers Target Unfixed WS_FTP ServersResearcher Published Proof-of-Concept Exploit Code 1 Day After Vendor Issued Patch
After the scans, the hacks: Ransomware-wielding hackers are targeting unpatched versions of FTP software widely used by large enterprises, including government and educational organizations.
Security firm Sophos reports seeing multiple attempts to exploit WS_FTP Server software, built by Progress Software. Its alert follows security firm Bitdefender last week reporting that scanning activity of unknown origin is focused on finding vulnerable WS_FTP Server software.
"Ransomware actors didn't wait long to abuse the recently reported vulnerability in WS_FTP Server software," Sophos said. "Even though Progress Software released a fix for this vulnerability in September, not all of the servers have been patched." Sophos in a post to Mastodon said it's seen attackers hunting for WS_FTP software installations that have yet to be patched.
Attempts to identify and exploit vulnerable instances of WS_FTP Server follow Burlington, Massachusetts-based Progress Software on Sept. 27 updating the software to patch multiple flaws, of which two are rated critical, three as high and three of medium severity. The vendor said the only way to fix the flaws is to use its installer to obtain a completely new version 8.7.5 or 8.8.3 of the software.
One of the two critical flaws is a .NET deserialization vulnerability in the company's Ad Hoc Transfer Module for person-to-person file-sharing. Tracked as CVE-2023-40044, the vulnerability can be exploited to remotely execute code and take over the underlying system.
In an analysis of the vulnerability, security firm Rapid7 reported that it's easy to exploit. "We can exploit this vulnerability with a singlehttpS POST request to any URI in the Ad Hoc Transfer module," it said.
Sophos said the attack attempts it saw - against a customer - didn't succeed, owing in part to attackers triggering a behavioral detection rule in its endpoint security software, which "stopped the ransomware download in the customer environment when a suspicious script made an outbound connection to a high-risk" IP address.
The attack chain began with an IIS component, leading to PowerShell scripts, then to the "GodPotato" open-source privilege-escalation tool, followed by a ransomware executable meant to be the coup de grâce, the security researchers reported.
For the crypto-locking malware part of the attack, the researchers found attackers wielding what appears to be ransomware compiled using the LockBit 3.0 - aka LockBit Black - source code leaked by an upset developer last September after a dispute with LockBit over money (see: LockBit Ransomware Group's Big Liability: 'Ego-Driven CEO').
Sophos said attackers call themselves the "Reichsadler Cybercrime Group," noting that the name is derived "from Nazi imagery," and appear to be seeking $500 worth of Bitcoin from targets.
Proof-of-Concept Exploit Code
The Ad Hoc Transfer Module vulnerability was found and reported to Progress Software by Australian cybersecurity firm Assetnote, which said it would wait to publish a proof-of-concept exploit until 30 days post-patch, to give users time to update their software.
On Sept. 28, one day after Progress Software updated WS_FTP Server software, a third-party security researcher who uses the handle "MCKSys Argentina" released proof-of-concept exploit code.
Progress Software decried that move. "We are disappointed in how quickly third parties released a proof of concept, reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27," a spokesperson said. "This provided threat actors a road map on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch. We are not aware of any evidence that these vulnerabilities were being exploited prior to that release."
Despite the software vendor's criticism, once a company releases a patch, attackers reverse-engineer the fix and start exploiting the vulnerability within days, if not hours.
Of course, attackers don't always wait for researchers to identify zero day vulnerabilities for them - a fact Progress Software knows from its experience with the Russian-speaking Clop ransomware group's mass exploitation in late May of its MOVEit secure file-transfer software.* Progress Software is facing a consolidated class action lawsuit as well as questions from privacy and other regulators at home and abroad as a result (see: US Securities and Exchange Commission Probes MOVEit Hack).
Once WS_FTP Server exploit details were in the public domain, Assetnote published its own research into the vulnerability and proof-of-concept exploit code, as have other researchers. The Metasploit open source penetration testing framework has also been updated with a module for exploiting the vulnerability.
Internet of Things search engine Shodan on Friday returned hits for nearly 2,000 servers running WS_FTP that also have their web server exposed, which Assetnote said is required for the software to be exploited. How many of those servers might have been patched isn't clear. Assetnote said most "belong to large enterprises, governments and education."
The CVE-2023-40044 vulnerability, which is in a module called
MyFileUpload.UploadModule, appears to be 15 years old, said Martin Zugec, a technical solutions director at Bitdefender. "During our analysis, we identified this as a third-party file upload library sourced from darrenjohnstone.net, with a copyright notice reading 'Copyright © Darren Johnstone 2008,'" he said in a blog post. "This means the module was developed by a single developer and last updated in 2008. It's possible that other software utilizing this library may also be susceptible to the same vulnerability."
*Clarification Oct. 14, 2023 18:13 UTC: Clarifies that one or more attackers could have already been exploiting the WS_FTP vulnerability before it got patched, although there's no evidence of this at least so far.