Ransomware attacks have targeted unpatched versions of WS_FTP Server software [1], a widely used file transfer product by large enterprises, including government and educational organizations [1].
Description
These attacks exploit a critical flaw in the Ad Hoc Transfer module, specifically a .NET deserialization vulnerability [1]. This vulnerability allows threat actors to remotely execute code and take control of systems. The attacks have been attributed to the Reichsadler Cybercrime Group, who are demanding $500 worth of Bitcoin from their targets.
It is worth noting that the vulnerability appears to be 15 years old and may affect other software using the same library [1]. It is unclear if the vulnerability was being exploited prior to the release of a fix in September. Despite the fix being available, nearly 2,000 servers running WS_FTP with exposed web servers have been identified as still vulnerable [1].
The attackers attempted to use a stolen LockBit 3.0 builder for their ransomware attack. Additionally, they tried to escalate privileges using the open-source GodPotato tool [2], but were unsuccessful. Fortunately, Sophos X-Ops managed to stop the attack with their security measures [3] [4].
However, industries that rely on WS_FTP software for file transfers [4], particularly the medical sector [3], are still at risk. Delays in accessing records could impact patient care [4]. To enhance their defenses and gain insight into this threat [3] [4], organizations can refer to the indicators of compromise (IOCs) available on Sophos X-Ops’ GitHub page.
It is essential for organizations to have a plan in place to mitigate and patch vulnerabilities in critical and exposed services. Progress Software has released a security advisory detailing fixes for eight vulnerabilities [2], two of which are critical [2]. These vulnerabilities enable threat actors to carry out malicious activities [2], including remote code execution [2]. Customers are urged to update their WS_FTP Server instances to protect against these attacks.
Conclusion
The ransomware attacks targeting unpatched versions of WSFTP Server software pose a significant threat to large enterprises, including government and educational organizations [1]. The Reichsadler Cybercrime Group is exploiting a critical flaw in the Ad Hoc Transfer module, allowing them to remotely execute code and take control of systems. Despite a fix being available, many servers remain vulnerable [3] [4]. Industries [3] [4], especially the medical sector [3], are at risk, with potential delays in accessing records impacting patient care [4]. Organizations should refer to the indicators of compromise (IOCs) provided by Sophos X-Ops to enhance their defenses. It is crucial for organizations to have a plan in place to mitigate and patch vulnerabilities in critical and exposed services. Progress Software has released a security advisory with fixes for eight vulnerabilities, urging customers to update their WSFTP Server instances to protect against these attacks.
References
[1] https://www.bankinfosecurity.com/ransomware-wielding-attackers-target-unfixed-wsftp-servers-a-23311
[2] https://www.techradar.com/pro/security/unpatched-wsftp-servers-are-being-targeted-to-spread-ransomware
[3] https://www.infosecurity-magazine.com/news/ransomware-targets-unpatched-wsftp/
[4] https://flyytech.com/2023/10/16/ransomware-targets-unpatched-wsftp-servers/
