Unpatched WS_FTP servers exposed to the internet have become prime targets for ransomware attacks, with threat actors exploiting a critical vulnerability.
Writing on Infosec Exchange last Thursday, Sophos X-Ops’ incident responders described an attempted ransomware attack by the self-proclaimed Reichsadler Cybercrime Group. The attack reportedly utilized a stolen LockBit 3.0 builder to create ransomware payloads.
Despite Progress Software releasing a patch for the WS_FTP Server vulnerability (tracked CVE-2023-40044) just last month, not all servers have been updated, leaving them vulnerable to exploitation.
In this particular attack, the threat actors attempted to escalate privileges using the open-source GodPotato tool, known for enabling privilege escalation across various Windows client and server platforms.
Sophos X-Ops revealed the attack sequence on Mastodon. The attack began with exploitation of the critical vulnerability, eventually leading to the attempted ransomware deployment. Fortunately, Sophos X-Ops managed to thwart the attack with their behavioral protection rules and multi-layered security measures.
“It appears that the attackers have only really been able to deploy ransomware on the victims’ machine that is running this FTP software itself. However, industry sectors that use the software for transferring files remain vulnerable,” warned John Bambenek, principal threat hunter at Netenrich.
“Of particular concern is the medical sector, where not only file transfers from going between providers are important, the lack of being able to access those records on a timely basis could certainly impact patient care and potentially mortality rates.”
According to Melissa Bischoping, director of endpoint security research at Tanium, this incident is a stark reminder of the critical importance of promptly patching known vulnerabilities and maintaining up-to-date security defenses.
“Any vulnerability in a public-facing device like web servers, FTP servers, or network infrastructure is an attractive target for a threat actor to compromise. Some organizations may face delayed patching either due to visibility challenges or delays to avoid disruptive downtime,” Bischoping explained.
“As part of your security strategy, having a plan of action to mitigate and patch vulnerabilities in those critical and exposed services should be part of your vulnerability management planning,” Bischoping added.
To enhance defenses and gain insight into this latest threat, organizations can refer to the indicators of compromise (IOCs) made available on Sophos X-Ops’ GitHub page.