After the MOVEit vulnerability exploitation which led to an increased number of ransomware attacks on its clients, a sister concern has been found to be exploited at the hands of hackers. The parent company Progress Software released updates for its other file-sharing product – WS_FTP Server in September this year. The WS_FTP Server cyberattacks have not been claimed by any hacker group so far.
Progress Software’s Vulnerabilities that Caused WS_FTP Server Cyberattacks
Two products, the WS_FTP Server Ad Hoc Transfer Module and the WS_FTP Server Manager interface by Progress Software were found to have a total of eight vulnerabilities. Among others, the Progress vulnerability CVE-2023-40044 had a CVSS score of 10 and was marked critical in nature.
This critical vulnerability was found in the WS_FTP Server Ad Hoc Transfer Module, of Progress Software. This critical vulnerability in WS_FTP Server was found by researchers to be exploited in the wild.
Confirming the exploitation of the file transfer platform, a Rapid7 report read, “Our research team has identified what appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget.”
Researchers found instances of continued exploitation of the critical vulnerability, confirming the WS_FTP Server cyberattacks. The incidents were traced beginning September 30, 2023. Since several instances of WS_FTP Server cyberattacks were found on Ad Hoc Transfer module-enabled versions, it is critical users install the hotfixes offered by the organization.
Vulnerabilities in WS_FTP Server
The critical vulnerability in WS_FTP Server could allow cybercriminals to run commands remotely in the operating system. It affects the versions prior to 8.7.4 and 8.8.2.
Since the vulnerabilities in Progress products were getting addressed starting on September 27, 2023, it was important to install updates. This is especially true after the massive exploitation of the MOVEit vulnerability exploitation. The results of the same are seen even today with the number of compromised organizations skyrocketing.
“We have addressed these issues and have made version-specific hotfixes available for customers to remediate them,” the Progress advisory read.
The exploitation of some of the Progress Software vulnerabilities, as found by researchers from the Huntress labs, did not require authentication checks adding to the ease of hacking and accessing critical data.
Cybersecurity researchers provided proof of concept to show the exploitation of the vulnerabilities in WS_FTP Server. They found the following indicators of compromise as evidence of the WS_FTP Server cyberattacks –
- 103[.]163[.]187[.]12:8080
- 64[.]227[.]126[.]135
- 86[.]48[.]3[.]172
- 103[.]163[.]187[.]12
- 161[.]35[.]27[.]144
- 162[.]243[.]161[.]105
- C:WindowsTEMPzpvmRqTOsP.exe
- C:WindowsTEMPZzPtgYwodVf.exe
To fortify against the WS_FTP Server cyberattacks, Progress urged users to upgrade to the highest version – 8.8.2. The only way to upgrade to the patched release was using the full installer, the Progress advisory added.
Meanwhile, hackers from the Clop ransomware group have so far targeted at least 2,309 organizations from the MOVEit vulnerability exploitation. As part of the Cyber Security Awareness Month 2023 campaign, governments across nations have outlined four key steps to secure their digital property. One of them includes upgrading software to its latest versions.
It seems that software management is the need of the hour. The other three steps in the CSAM campaign promoted account login credentials to be safeguarded with stronger passwords, and turning on multi-factor authentication. The last one was to recognize and report phishing emails.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.