Ransomware, Security Staff Acquisition & Development

WS_FTP servers targeted in ransomware attacks

Computer servers in a data center

Security teams have been advised that a maximum severity vulnerability in unpatched WS_FTP servers from Progress Software have been targeted in ransomware attacks.

In an advisory posted by Sophos X-Ops, the researchers said that even though Progress Software released a fix for this bug last month, not all the servers have been patched yet.

“The ransomware actors didn’t wait too long to abuse the recently reported vulnerability in WS_FTP Server software,” said the Sophos X-Ops researchers

The Sophos researchers said the threat actors, self-described as the Reichsadler Cybercrime Group, attempted unsuccessfully to deploy ransomware payloads created using a LockBit 3.0 builder reportedly stolen in September 2022.

News of the flaw in the WS_FTP software broke earlier this month, when SC Media reported that threat actors could leverage the maximum severity flaw, tracked as CVE-2023-40044, to facilitate remote command execution. Another critical vulnerability, tracked as CVE-2023-42657, could be exploited to enable file operations outside the permitted folder path.

The WS_FTP server's recent vulnerability presents a severe threat landscape because of its inherent nature, which permits unauthenticated attackers to execute commands on the underlying OS remotely, explained Callie Guenther, senior manager, cyber threat research at Critical Start. Guenther said the fact that threat actors such as the Reichsadler Cybercrime Group are actively attempting to exploit this vulnerability using sophisticated tools like GodPotato only underscores its significance.

“Their usage of LockBit 3.0, even if the builder was stolen, reflects a growing sophistication in the ransomware ecosystem,” said Guenther. “The modest ransom amount suggests the potential use of automated attacks, which inherently amplifies the threat due to its scalability. Automated attacks can target a vast number of vulnerable servers, thereby increasing the attackers' chances of success."

Vulnerabilities in health sector make it a top target for threat actors

In terms of the most vulnerable sectors, Guenther said healthcare institutions often have complex, interconnected IT environments, and sometimes legacy systems, that can be challenging to patch swiftly. Guenther said patient data's sensitivity and the urgency of healthcare operations make these institutions lucrative and critical targets.

“Other sectors like government indeed are also at risk, particularly because they house sensitive information and sometimes work with older, legacy IT infrastructures,” said Guenther. “Additionally, disruptions to government services can have wide-reaching impacts, making them attractive targets for ransomware groups looking to exert pressure for payments or make a political statement.”

Will Long, chief security officer at First Health Advisory, said the concern for healthcare, as noted in a Department of Health and Human Services Cybersecurity Coordination Center alert, is that Progress Software developed and markets the MOVEit File Transfer Software, another file transfer product.

“These vulnerabilities were widely targeted by the Clop ransomware-as-a-service group, with a long list of victims in the healthcare sector,” said Long. “Third-party risk management is a mandatory capability in healthcare.  Many healthcare organizations struggle to keep up with managing their own risks besides those of their partners. Some vendors are slow to patch or might not have best practices in place that put your organization at risk. One simple best method related to file transfer servers is to keep almost zero data on these servers, like MOVEit application servers.”

John Bambenek, principal threat Hunter at Netenrich, added that on the plus side, the patch for this, or the ability, has existed for about two weeks. Bambenek said this means defenders should have had ample time and resources with which to mitigate this vulnerability.

“While there have been attempts to escalate privilege, thus making these attacks more devastating, it appears that the attackers have only really been able to deploy ransomware on the victims machine that is running this FTP software itself,” said Bambenek. “However, industry sectors that use the software for transferring files remain vulnerable. Of particular concern is the medical sector, where not only file transfers from going between providers are important, the lack of being able to access those records on a timely basis could certainly impact patient care and potentially mortality rates.”

Andrew Barratt, vice president at Coalfire, said if organizations have not patched this flaw yet, then compromise is inevitable.  

“Whether that becomes ransomware or any other type of attack will be dependent on threat actor,” said Barratt. “This is an initial access vulnerability which are highly prized on the open market, usually subject to rapid automation. Expect this to hit you yesterday.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.