October 12, 2023 at 03:16PM
Unpatched WS_FTP servers exposed to the internet are being targeted by ransomware attacks. The Reichsadler Cybercrime Group attempted to deploy ransomware on these servers using a stolen LockBit 3.0 builder. Although some servers have not been patched, the attempt to encrypt data was unsuccessful, although a $500 ransom demand was made. The vulnerability, tracked as CVE-2023-40044, allows attackers to execute commands remotely. Progress Software, the developer of WS_FTP, released a patch and advised upgrading to the latest version. Assetnote identified about 2.9k vulnerable hosts, many belonging to large organizations. Rapid7 warned of possible mass exploitation of vulnerable servers. It is recommended to disable the vulnerable WS_FTP Server Ad Hoc Transfer Module if immediate patching is not possible. The Health Sector Cybersecurity Coordination Center (HC3) has also warned organizations to patch their servers. Progress Software previously experienced data theft attacks using a zero-day bug in its MOVEit Transfer platform earlier this year, affecting over 2,500 organizations and 64 million individuals.
Key Takeaways from Meeting Notes:
1. Unpatched Internet-exposed WS_FTP servers are being targeted in ransomware attacks.
2. The Reichsadler Cybercrime Group attempted to deploy ransomware using a stolen LockBit 3.0 builder.
3. Progress Software released a fix for the vulnerability in September 2023, but not all servers have been patched.
4. The attackers used the open-source GodPotato tool for privilege escalation.
5. The ransomware deployment attempts were unsuccessful, but a $500 ransom was demanded.
6. The low ransom demand suggests mass automated attacks or inexperienced ransomware operators.
7. The vulnerability, tracked as CVE-2023-40044, allows remote command execution via HTTP requests.
8. Progress Software released security updates and urged admins to upgrade vulnerable instances.
9. The WS_FTP bug was discovered by Assetnote researchers, who also released a proof-of-concept exploit code.
10. Attackers began exploiting the vulnerability on September 3.
11. Shodan lists nearly 2,000 Internet-exposed devices running WS_FTP Server software.
12. Organizations can block incoming attacks by disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module.
13. The Health Sector Cybersecurity Coordination Center (HC3) warned healthcare organizations to patch their servers.
14. Progress Software previously experienced data theft attacks that impacted numerous organizations and individuals.