Unpatched WS_FTP servers are being targeted to spread ransomware

News
By Sead Fadilpašić
published

Researchers have observed an attempt at exploiting a WS_FTP instance

A computer being guarded by cybersecurity.
(Image credit: iStock)

Organizations that have not yet patched their WS_FTP Server instances are now being targeted by ransomware. This is according to a new report from cybersecurity experts Sophos X-Ops, who recently thwarted one such attempt against one of their clients.

A relatively unknown threat actor going by the name Reichsadler Cybercrime Group apparently tried to deploy the LockBit 3.0 builder, stolen in September 2022, against an unnamed company. 

"The ransomware actors didn't wait long to abuse the recently reported vulnerability in WS_FTP Server software," the researchers said. "Even though Progress Software released a fix for this vulnerability in September 2023, not all of the servers have been patched. Sophos X-Ops observed unsuccessful attempts to deploy ransomware through the unpatched services."

Automated attacks

In the attack, Reichsadler tried to gain elevated privileges using the open-source tool called GodPotato. Even though the attempt failed, they still left a ransom note, demanding $500 in cryptocurrency. This, the researchers speculate, means that the attackers are either inexperienced, or they automated an attack in which they targeted numerous companies (or both). A Shodan listing showed almost 2,000 vulnerable instances, BleepingComputer reported.

Two weeks ago, Progress (the company behind WS_FTP) published a security advisory in which it detailed fixes for a total of eight vulnerabilities. Two are deemed critical. One is tracked as CVE-2023-40044 (severity rating 10/10), while the other is tracked as CVE-2023-42657 (9.9/10). These vulnerabilities allow threat actors to run a range of malicious activities, including remote code execution.

"Attackers could also escape the context of the WS_FTP Server file structure and perform the same level of operations (delete, rename, rmdir, mkdir) on file and folder locations on the underlying operating system," Progress said in the advisory. 

Prior to the WS_FTP Server news, Progress made headlines after its other product, MOVEit, was at the center of a data theft fiasco that affected more than 2,500 organizations and more than 64 million individuals. 

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.