Unpatched WS_FTP servers exposed to the Internet have become prime targets for ransomware attacks, as malicious actors exploit a critical vulnerability.
Writing on Infosec Exchange last Thursday, Sophos X-Ops commenters described an attempted ransomware attack by the self-proclaimed Reichsadler cybercrime group. The attack allegedly used a stolen LockBit 3.0 builder to create ransomware payloads.
Although Progress Software released a patch for the WS_FTP server vulnerability (tracked CVE-2023-40044) last month, not all servers have been updated, leaving them vulnerable to exploitation.
In this particular attack, the threat actors attempted to escalate privileges using the open source tool GodPotato, known for enabling privilege escalation on various Windows client and server platforms.
Sophos X-Ops revealed the attack sequence on Juggernaut. The attack began by exploiting the critical vulnerability, ultimately leading to an attempted ransomware deployment. Fortunately, Sophos X-Ops was able to thwart the attack with its behavioral protection rules and multi-layered security measures.
“It appears that the attackers were only really able to deploy ransomware on the victims’ machine that was running this FTP software itself. However, industrial sectors that use the software to transfer files remain vulnerable,” warned John Bambenek, principal threat hunter at Netenrich.
“Of particular concern is the medical sector, where not only are file transfers between providers important, but the lack of ability to access these records in a timely manner could certainly impact patient care and potentially impact rates. mortality.”
According to Melissa Bischoping, director of endpoint security research at TaniumThis incident is a stark reminder of the critical importance of quickly patching known vulnerabilities and maintaining up-to-date security defenses.
“Any vulnerability in a public device such as web servers, FTP servers, or network infrastructure is an attractive target for a malicious actor to compromise. Some organizations may experience delays in patching, either due to visibility issues or delays to avoid disruptive downtime,” explained Bischoping.
Learn more about CVE-2023-40044: MOVEit developer fixes critical file transfer bugs
“As part of your security strategy, having an action plan to mitigate and remediate vulnerabilities in these critical and exposed services should be part of your vulnerability management planning,” Bischoping added.
To strengthen defenses and better understand this latest threat, organizations can refer to the Indicators of Compromise (IOC) made available on Sophos X-Ops. GitHub page.