Rewterz Threat Update – CVE-2023-40044 – Unpatched WS_FTP Servers Being Targeted by Ransomware Attacks

Severity

High

Analysis Summary

WS_FTP servers that are internet-exposed and unpatched against a critical severity vulnerability are at a high risk of being targeted in ransomware attacks. The threat actors call themselves as the Reichsadler Cybercrime Group has unsuccessfully attempted to deploy ransomware payloads created using a stolen LockBit 3.0 builder.

The researchers said, “The ransomware actors didn’t wait long to abuse the recently reported vulnerability in WS_FTP Server software. Even though Progress Software released a fix for this vulnerability in September 2023, not all of the servers have been patched. Sophos X-Ops observed unsuccessful attempts to deploy ransomware through the unpatched services.”

The threat actors made an attempt to escalate privileges using the open-source GodPotato tool, which allows privilege escalation to ‘NT AUTHORITY\SYSTEM’ on Windows. Fortunately, their attempt to deploy the ransomware payloads was prevented and they weren’t able to encrypt the target’s data.

However, they still demanded a $500 ransom even though they were unable to encrypt any files. This shows that the vulnerable internet-exposed WS_FTP servers are probably being targeted in mass automated attacks or by an inexperienced ransomware operation.

The vulnerability, tracked as CVE-2023-40044, is caused by a .NET deserialization flaw in the Ad Hoc Transfer Module, which allows unauthenticated users to execute commands using remote HTTP requests on the OS.

The patch for this highly critical vulnerability was finally released on 27^th September and the company urged admins to upgrade their systems asap. There are still about 2,000 internet-exposed devices currently listed that are still running WS_FTP Server software, most of these belonging to large enterprises, educational institutions, and government organizations.

Organizations that are unable to patch their servers immediately are recommended to block any incoming attacks by disabling the flawed WS_FTP Server Ad Hoc Transfer Module.

Impact

• Financial Loss
• Unauthorized Access
• Sensitive Data Theft
• Command Execution

Remediation

• Refer to Progress Community Website for patch, upgrade or suggested workaround information.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• It is important for organizations to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.