Ws_ftp vulnerable servers, open to access from the Internet, have become a target for mass attacks using extortion.
According to a recent report by Sophos, a cybersecurity company, a group of cybercriminals known as Reichsadler is launching widespread attacks using the malicious Unspractive programs merged with the network in September 2022, specifically targeting vulnerable servers using the WS_FTP software.
The report by Sophos X-OPS states, “The criminals wasted no time and began exploiting the recently discovered vulnerability in the WS_FTP Server software.”
Although Progress Software released a patch for this vulnerability last month, not all servers have been updated. Sophos X-OPS recorded several unsuccessful attempts to deploy ransomware through non-patched servers.
The attackers attempted to use an open-source tool called Godpotato, which allows them to escalate privileges to “NT Authority System” on Windows clients (from Windows 8 to Windows 11) and servers (from Windows Server 2012 to Windows Server 2022). However, Sophos’ security measures prevented the deployment of malicious programs on the targeted systems.
Interestingly, despite the unsuccessful encryption attempt, a ransom note demanding $500 for decryption appeared on the victims’ devices.
The small ransom amount suggests that the primary goal of the attackers targeting vulnerable WS_FTP servers accessible from the Internet is to compromise as many systems as possible, rather than demanding large monetary ransoms.
The critical vulnerability in WS_FTP, known as CVE-2023-40044 and previously reported, is caused by a flaw in the AD HOC Transfer Module of .NET, allowing attackers to execute commands on the underlying operating system via remote HTTP requests.
On September 27, Progress Software released security updates and strongly advised all administrators to update their vulnerable installations. For organizations unable to immediately update their servers, a temporary measure to block incoming attacks is to disable the vulnerable module, WS_FTP Server Ad Hoc Transfer.
It is worth