Ransomware gang targets critical Progress WS_FTP Server bug

Ransomware actors are targeting a critical flaw in Progress Software's WS_FTP Server secure file transfer product, according to Thursday posts from Sophos' X-Ops team on Mastodon.

Sophos said threat actors utilized CVE-2023-40044 in "unsuccessful attempted ransomware activity" against customers of Progress' WS_FTP Server from what appeared to be leaked LockBit 3.0 code. The attacks were stopped, the security vendor said, because "Sophos' behavioral protection rule C2_10a (MITRE ATT&CK technique T1071.001) stopped the ransomware download in the customer environment when a suspicious script made an outbound connection to a high-risk URI."

CVE-2023-40044 is a critical flaw disclosed and patched on Sept. 27 by Progress. Originally discovered by Assetnote co-founder and CTO Shubham Shah and software engineering manager Sean Yeoh, the flaw has a CVSS rating of 10 -- the highest severity rating possible.

According to Progress' advisory, "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system." Customers are urged to update their instances to a supported version or by disabling the Ad Hoc Transfer Module.

The flaw was disclosed alongside CVE-2023-42657, a directory traversal flaw in WS_FTP Server versions prior to 8.7.4 and 8.8.2, with a CVSS score of 9.9. It was similarly patched.

Researchers at vendors such as Rapid7 and Bitdefender observed evidence of CVE-2023-40044 exploitation in the days following its disclosure.

"Our research team has identified what appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget," Rapid7's post read. "As of September 30, Rapid7 has observed multiple instances of WS_FTP exploitation in the wild."

Sophos X-Ops pointed out in its Mastodon posts that the ransomware actors "didn't wait long" to exploit the flaw. Although Progress patched CVE-2023-40044, "not all of the servers have been patched." Similarly, Bitdefender said on Oct. 5 that more than 2,000 vulnerable servers remained.

Sophos attributed activity to a ransomware gang known as the "Reichsadler Cybercrime Group" and shared a ransomware letter from the threat actor demanding $500 in Bitcoin from its target.

A spokesperson for Progress Software shared the following statement.

"Progress is pleased to see industry security providers such as Sophos offering solutions that increase the overall security of servers running internet facing products such as WS_FTP," the spokesperson said. "This exemplifies the 'defense in depth' mindset that is so important these days. Once again, we encourage WS_FTP customers who have yet to patch their installations to do so as soon as possible."

TechTarget Editorial asked Sophos whether it had identified a connection between this threat activity and activity against Progress Software's MoveIt Transfer product. Christopher Budd, director of threat intelligence at Sophos, said in an email that while the security vendor was looking for such a connection, it hadn't found any correlation at this time.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.