Security researchers have discovered what they believe to be a “mass exploitation potential” for a vulnerability in Progress Software’s WS_FTP server.
Rapid7 researchers began noticing evidence of exploitation across multiple instances of WS_FTP on September 30th.
Progress released fixes for eight separate WS_FTP vulnerabilities on Wednesday. This includes vulnerabilities rated at the maximum score of 10 on the CVSS severity scale. A few days later, the company announced that there was no evidence of exploitation at the time.
Although the researchers did not say which vulnerabilities were exploited, “one or more” of the vulnerabilities included in Progress’s eight vulnerability advisories were the subject of exploitation attempts. I pointed out that there seemed to be.
The attack began on the evening of September 30th, and Rapid7 received alerts of the attack attempt within minutes from multiple customer environments, according to the company. blog post From Caitlin Condon, Senior Manager of Vulnerability Research at Rapid7.
After analyzing the exploit chain, the researchers concluded that the process appears to be uniform across all alerted incidents. This may indicate that cybercriminals may be attempting to exploit vulnerable WS_FTP instances at scale.
The researchers noted that a single Burpsuite domain was used in all exploit attempts they analyzed, further supporting the idea that a single bad actor is behind the attempts.
Attack chain details, Rapid7 Said The child process was responsible for executing NTUSER.dll, which upon analysis is believed to be related to Bishop Fox’s legitimate red team post-exploitation kit Silver.
Exploit attempts appear to be low in volume at this time, but can be confirmed by a limited selection of telemetry. For example, his Bob Rudis of GreyNoise Intelligence says: Said He said his team had not yet detected any attempts as of October 1.
AssetNote researchers are known for discovering CVE-20233-40044, the highest severity vulnerability in WS_FTP. Said Its telemetry shows 2,900 hosts running file transfer software, many of them large enterprises, governments, and educational institutions.
According to Progress Software, the product has 40 million users and its website lists prominent customers including gaming company RockSteady, NFL team Denver Broncos, Scientific American, and luxury retailer H&M. It is specifically mentioned.
Two days after Progress released the security advisory, proof of concept (PoC) code for CVE-20233-40044 began circulating online.
Once a security advisory is issued, exploitation attempts usually follow, as PoC code is often developed fairly quickly.
Rapid7 emphasized the importance of upgrading to the latest version of WS_FTP as soon as possible. This includes necessary updates to address broadly impacting security issues in previous versions of the software.
Customers using WS_FTP with the Ad Hoc Transfer module (configurations subject to a subset of the eight vulnerabilities disclosed by Progress) are encouraged to disable or remove the module.
Progress Software’s year to forget
The issues affecting WS_FTP are the latest in what has been a difficult year for the software company that developed the product.
One of the company’s file transfer products, MOVEit Transfer, was the target of mass exploitation by the Cl0p cybercrime team earlier this year.
The group has completely dropped its ransomware element this year, becoming more of a hacking and extortionist gang, infiltrating at least 400 organizations after exploiting MOVEit Transfer’s zero-day.
Most attacks involve stealing data from the victim and demanding it as ransom. tactics It will be adopted by many ransomware-related criminals throughout 2023, including Cl0p, RansomHouse, BianLian, and Karakurt.
As a result of the large-scale exploitation of MOVEit Transfer, Progress is facing numerous lawsuits for attacks that began in June and have continued for months.
Coveware researcher Said In July, Cl0p’s campaign against MOVEit predicted cybercriminals could earn between $75 million and $100 million, with victims paying much higher ransoms compared to previous attacks by Cl0p. He said he was paying.
“The MOVEit campaign could ultimately directly impact more than 1,000 companies and indirectly impact an order of magnitude more, but only a small percentage of victims will be willing to consider paying.” In fact, no one even bothered to negotiate,” said Corbware.
“Companies that did pay paid significantly more than in previous crop campaigns and several times the global average ransom amount of $740,144.” ®