Image source: Shutterstock
The in-the-wild exploit activity could be a harbinger of things to come.
As happened with a zero-day bug in Progress Software’s MOVEit file transfer software earlier this year, attackers have already started targeting a maximum severity vulnerability and other flaws the company disclosed last week in its WS_FTP Server file transfer technology.
Likely Single Threat Actor
Researchers at security firm Rapid7 reported observing exploit activity targeting the vulnerability in multiple customer environments starting Sept. 30. The attacks on different customers happened in quick succession and appeared to involve exploitation of several of the disclosed vulnerabilities, Rapid7 said.
“The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers,” Rapid7 head of threat research Caitlin Condon said in a blog. “Additionally, our MDR team has observed the same Burpsuite domain used across all incidents, which may point to a single threat actor behind the activity we’ve seen.”
Rapid7 updated its blog on October 2 to report a second attack chain exploiting the flaw that its managed services group had detected.
Managed security service provider Huntress said it too had observed in-the-wild exploits of CVE-2023-40044—the maximum severity WS_FTP flaw—in a single digit number of instances within its partner base “We are sending out incident reports for affected Huntress partners. Of the total unpatched endpoints in our visibility, we see about 5% of them compromised,” Huntress said.’
Quick Take:
What: Researchers have spotted in-the-wild exploiting activity targeting CVE-2023-40044, a maximum severity remote code execution bug in WS_FTP that Progress Software disclosed just last week. According to Rapid7, which observed attacks on several of its customers over the weekend, available telemetry suggests a single threat actor is behind the attacks. The company reported observing a second attack chain on October 2. Researchers at Huntress too have reported attacks on a handful of customers.
Who should pay attention: Organizations using any supported version of WS_FTP should immediately update to fixed versions of the software or disable the Ad Hoc Transfer module. If the zero-day in MOVEit file transfer was any indication, attackers will almost surely try and exploit the WS_FTP flaws to drop ransomware and all sorts of other badware on affected systems.
Max Severity Bug
CVE-2023-40044 is a .NET deserialization vulnerability in Progress’ WS_FTP’s Ad Hoc Transfer module. The vulnerability has a maximum possible severity rating of 10.0 on the CVSS vulnerability rating scale and enables pre-auth remote code execution on the underlying WS_FTP Server operating system. The flaw affects all versions of WS_FTP with the Ad hoc Transfer module enabled. Rapid7 researchers last week discovered the flaw to be trivially easy to exploit via a single specially crafted HTTPS POST request.
Assetnote, the security vendor that discovered and reported the vulnerability to Progress also has described CVE-2-23-40044 as “straight forward” to exploit. “It’s surprising that this bug has stayed alive for so long, with the vendor stating that most versions of WS_FTP are vulnerable,” Assetnote noted. The vendor has estimated there are some 2,900 Internet connected WS_FTP hosts that have their webserver exposed hosts. Most of these systems appear to belong to large enterprises, governments and educational institutions, according to Assetnote.
CVE-2023-40044 is one of two critical bugs that Progress disclosed in WS-FTP last week. The other is CVE-2023-42657, a path traversal flaw with a CVSS score of 9.9 that allows attackers to delete and rename files and remove or make directories outside of the WS_FTP folder path. The bug affects all versions of WS-FTP with the Ad hoc Transfer module.
The six other flaws that Progress disclosed last week are high and medium severity bugs that allow attackers to take different kinds of malicious actions on affected systems.
Update Now
Progress disclosed the bugs on Sep. 27 and issued version-specific hotfixes for each vulnerability. The company has urged customers using the affected software to patch immediately or to disable the Ad hoc Transfer module in WS_FTP as a mitigation measure till they are able to update the software.
Organizations using WS-FTP would do well to follow the company’s advice given just how widely attackers have gone after another critical bug that Progress Software disclosed in its MOVEit file transfer technology earlier this year. That vulnerability tracked as CVE-2023-34362, is a SQL injection flaw that enables remote code execution. CVE-2023-34362 was a zero-day bug when Progress disclosed it in May 2023 and has emerged as one of the most widely attacked flaws of the year so far. The Cl0p ransomware gang alone has compromised over 2,100 organizations worldwide using the vulnerability.
File transfer products such as MOVEit and WS_FTP are popular attacker targets because of the potential access they provide to sensitive data and documents. Over the past year, there have been multiple attacks targeting vulnerabilities in file transfer products from other companies such as Accellion and GoAnywhere as well.
