Ransomware Threat Shifts Focus to Unpatched WS_FTP Servers

Ransomware attackers have now set their sights on internet-exposed WS_FTP servers lacking critical security updates, making them vulnerable to maximum severity vulnerabilities.

Recent findings by Sophos X-Ops incident responders highlight that the self-proclaimed Reichsadler Cybercrime Group attempted to deploy ransomware payloads using a stolen LockBit 3.0 builder from September 2022. Their efforts were unsuccessful in deploying ransomware, thanks to thwarted privilege escalation attempts using the open-source GodPotato tool.

Despite failing to encrypt the victim’s files, the attackers demanded a relatively low $500 ransom, payable by October 15, Moscow Standard Time. This modest ransom request suggests that these exposed and vulnerable WS_FTP servers might be targeted in mass automated attacks or by less experienced ransomware operators.

Identified as CVE-2023-40044, the vulnerability stems from a .NET deserialization flaw within the Ad Hoc Transfer Module, permitting unauthenticated attackers to execute remote OS commands through HTTP requests.

Progress Software took action on September 27 by releasing security updates to address this critical WS_FTP Server vulnerability, urging administrators to apply patches promptly.

Organizations unable to immediately patch their servers can enhance security by disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module.

The Health Sector Cybersecurity Coordination Center (HC3), the U.S. Health Department’s security team, has also issued warnings to Healthcare and Public Health sector organizations to expedite the patching of their servers.

It’s worth noting that Progress Software has been grappling with the aftermath of a widespread series of data theft attacks, which exploited a zero-day bug in its MOVEit Transfer secure file transfer platform earlier this year, affecting over 2,500 organizations and impacting more than 64 million individuals.