Unpatched WS_FTP servers are being targeted to spread ransomware
Organizations that have not yet patched their WS_FTP Server instances are now being targeted by ransomware. This is evident from a new report from cybersecurity experts Sophos X-Ops, who recently thwarted such an attempt against one of their customers.
A relatively unknown threat actor by the name of Reichsadler Cybercrime Group has apparently attempted to use the LockBit 3.0 builder, which was stolen in September 2022, against an unnamed company.
“The ransomware actors did not wait long to exploit the recently reported vulnerability in the WS_FTP Server software,” the researchers said said. “Although Progress Software released a fix for this vulnerability in September 2023, not all servers have been patched yet. Sophos X-Ops has observed unsuccessful attempts to deploy ransomware through the unpatched services.”
Automated attacks
In the attack, Reichsadler attempted to gain elevated privileges using the open-source tool called GodPotato. Although the attempt failed, they still left a ransom note demanding $500 in cryptocurrency. This, the researchers speculate, means the attackers are either inexperienced or have automated an attack targeting numerous companies (or both). A Shodan list showed almost 2,000 vulnerable cases, BleepingComputer reported.
Two weeks ago, Progress (the company behind WS_FTP) published a security advisory detailing fixes for a total of eight vulnerabilities. Two of them are considered critical. One is tracked as CVE-2023-40044 (severity grade 10/10), while the other is tracked as CVE-2023-42657 (9.9/10). These vulnerabilities allow threat actors to perform a range of malicious activities, including remote code execution.
“Attackers can also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and directory locations on the underlying operating system,” Progress said in the advisory.
Prior to the WS_FTP Server news, Progress made headlines after its other product, MOVEit, was at the center of a data theft fiasco that affected more than 2,500 organizations and more than 64 million individuals.
Through BleepingComputer