Ransomware attacks are now focusing on unpatched WS_FTP servers that are vulnerable to a maximum severity flaw. Sophos X-Ops incident responders have recently noticed that the Reichsadler Cybercrime Group, a self-proclaimed threat actor, has attempted to deploy ransomware payloads using a LockBit 3.0 builder that was stolen in September 2022.
"The ransomware actors didn't wait long to abuse the recently reported vulnerability in WS_FTP Server software," Sophos X-Ops said. Despite the release of a fix for this vulnerability by Progress Software in September 2023, not all servers have been patched. The threat actors tried to escalate privileges using the open-source GodPotato tool, which enables privilege escalation across Windows client and server platforms.
Their attempt to deploy the ransomware payloads on the victim's systems was stopped, preventing the attackers from encrypting the target's data. However, the threat actors still demanded a $500 ransom, payable by October 15, Moscow Standard Time. The modest ransom demand suggests that Internet-exposed and vulnerable WS_FTP servers are likely being targeted in mass automated attacks or by an inexperienced ransomware operation.
The flaw, tracked as CVE-2023-40044, is due to a .NET deserialization vulnerability in the Ad Hoc Transfer Module. This allows unauthenticated attackers to execute commands on the underlying OS via HTTP requests remotely. Progress Software released security updates to address this critical WS_FTP Server vulnerability on September 27, urging admins to upgrade vulnerable instances.
Assetnote, the security researchers who discovered the WS_FTP bug, released proof-of-concept (PoC) exploit code just days after it was patched. Cybersecurity company Rapid7 revealed that attackers began exploiting CVE-2023-40044 on September 3, the day the PoC exploit was released.
Organizations that cannot immediately patch their servers can block incoming attacks by disabling the vulnerable WS_FTP Server Ad Hoc Transfer Module. The Health Sector Cybersecurity Coordination Center (HC3), the security team of the U.S. Health Department, also warned Healthcare and Public Health sector organizations last month to patch their servers as soon as possible. Progress Software is currently dealing with the aftermath of a widespread series of data theft attacks that exploited a zero-day bug in its MOVEit Transfer secure file transfer platform earlier this year. These attacks impacted over 2,500 organizations and more than 64 million individuals, as estimated by Emsisoft.