Ransomware attackers have set their sights on a critical vulnerability in Progress Software's WS_FTP Server secure file transfer product, according to reports from Sophos' X-Ops team. The security vendor revealed that threat actors attempted to exploit CVE-2023-40044 in an unsuccessful ransomware attack against WS_FTP Server users. Fortunately, the attack was thwarted by Sophos' behavioral protection rule, which detected suspicious activity related to the ransomware.
CVE-2023-40044 is a severe vulnerability that was discovered and patched by Progress on September 27. The flaw allowed pre-authenticated attackers to leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module, enabling them to execute remote commands on the underlying WS_FTP Server operating system. Progress advised customers to update to a supported version or disable the Ad Hoc Transfer Module to mitigate the risk.
This vulnerability was disclosed alongside CVE-2023-42657, another flaw in WS_FTP Server versions prior to 8.7.4 and 8.8.2, with a high CVSS score. Several cybersecurity firms, including Rapid7 and Bitdefender, observed evidence of CVE-2023-40044 exploitation shortly after its disclosure.
Sophos X-Ops identified the ransomware actors as the "Reichsadler Cybercrime Group" and shared a ransom demand of $500 in Bitcoin issued by the threat actor. Progress Software responded by commending the security industry's efforts to enhance the security of internet-facing servers like WS_FTP. They urged customers to promptly patch their installations.
Regarding a possible connection between this threat activity and Progress Software's MoveIt Transfer product, Sophos stated they were investigating but had not found any correlation at the moment. This incident highlights the critical importance of promptly addressing software vulnerabilities and maintaining robust cybersecurity measures to protect against ransomware attacks. Security pros from around the industry shared insights on how organizations can prevent themselves from this type of threat: John Bambenek, Principal Threat Hunter at Netenrich:
"The good news is that the patch for this, or the ability, has existed for about two weeks. This means defenders should have had ample time and resources with which to mitigate this vulnerability. While there have been attempts to escalate privilege, thus making these attacks more devastating, it appears that the attackers have only really been able to deploy ransomware on the victims machine that is running this FTP software itself. However, industry sectors that use the software for transferring files remain vulnerable. Of particular concern is the medical sector, where not only file transfers from going between providers are important, the lack of being able to access those records on a timely basis could certainly impact patient care and potentially mortality rates. "
Melissa Bischoping, Director, Endpoint Security Research at Tanium:
"Any vulnerability in a public-facing device like web servers, FTP servers, or network infrastructure is an attractive target for a threat actor to compromise. Some organizations may face delayed patching either due to visibility challenges, or delays to avoid disruptive downtime.
As part of your security strategy, having a plan of action to mitigate and patch vulnerabilities in those critical and exposed services should be part of your vulnerability management planning.
Once inside your network, attackers will seek to leverage other harvested credentials or vulnerabilities to move through your environment. A defense in depth approach coupled with enriched telemetry from endpoint and network devices will allow teams to respond faster and with more precision, even if an attacker manages to breach one barrier. The goal is always to stop an attack as early in the kill chain as possible but recognize that there are opportunities to disrupt and detect an attack at all points in the kill chain."
Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start:
"Vulnerable sectors: Healthcare institutions often have complex, interconnected IT environments, and sometimes legacy systems, that can be challenging to patch swiftly. Patient data's sensitivity and the urgency of healthcare operations make these institutions lucrative and critical targets. Other sectors like government indeed are also at risk, particularly because they house sensitive information and sometimes work with older, legacy IT infrastructures. Additionally, disruptions to government services can have wide-reaching impacts, making them attractive targets for ransomware groups looking to exert pressure for payments or make a political statement.
Several sectors might exhibit similar vulnerabilities due to the presence of legacy systems, interconnected IT environments, and the value or sensitivity of the data they handle. Here are some other sectors that come to mind:
Financial Services: Banks, insurance companies, and other financial institutions handle vast amounts of sensitive data. They're often targeted because disruptions in their services can have wide-ranging economic implications, and they might be willing to pay ransoms to restore services quickly.
Utilities and Energy: The energy sector, including electricity providers, water supply systems, and nuclear facilities, often rely on aging infrastructure and systems. A successful ransomware attack on these entities can have catastrophic real-world consequences, making them attractive targets for threat actors.
Education: Educational institutions, from schools to universities, possess valuable research and personal data. Many institutions have complex networks that serve thousands of users, making it challenging to enforce security uniformly.
Transportation: This includes airlines, railways, and public transit systems. Disruptions in their services due to ransomware attacks can lead to massive real-world chaos and financial loss.
Manufacturing: Advanced manufacturing facilities are increasingly relying on interconnected devices and systems. Disruptions can lead to substantial financial losses, and older factories might employ outdated IT systems vulnerable to attacks.
Retail: Especially those with vast, interconnected supply chains. An attack could disrupt operations, halt sales, and lead to substantial financial loss.
Telecommunications: Given their role in connecting different sectors, they are a prime target. Disruption here could cascade to other sectors, amplifying the impact.
Recommendations: In addressing the vulnerabilities surrounding WS_FTP servers, it's essential to revert to some standard yet crucial cybersecurity practices. Firstly, organizations must prioritize immediate patching, applying the provided updates from Progress Software swiftly, given the known active exploitation of this vulnerability. Network segmentation is another traditional recommendation, ensuring that WS_FTP servers aren't overtly exposed to the internet; using DMZs or similar measures can mitigate risks. It's always advised to maintain consistent backups of pivotal data; this age-old recommendation stands firm, especially in the face of ransomware threats, as it reduces the leverage attackers have in demanding ransoms. Continuous monitoring of servers using established tools helps identify and address suspicious activities, and, as always, user training remains instrumental. Employees should be well-acquainted with potential phishing signs and other malicious gateways that can introduce ransomware. Lastly, having a structured incident response plan is a staple suggestion. When faced with an attack, a well-laid-out plan can expedite reactions, potentially curbing the threat and mitigating losses."
###