WS_FTP Server Exploit with a Familiar Attack Chain

Category: Vulnerability | Industry: Global | Sources: Rapid7, Shodan & Sophos

Sophos X-Ops on Mastodon reports the .NET Deserialization vulnerability, CVE-2023-40044, within Progress Software's WS_FTP Server software is under active exploitation to deploy ransomware. This vulnerability, with a vendor rating of 10/10, had been addressed by Progress Software through a hotfix released on September 27th, 2023. Sophos's findings reveal an attack following a pattern similar to those reported by Rapid7 just a week after Progress's advisory. The attackers are taking advantage of the IIS component, utilizing the w3wp.exe process to deliver malicious payloads. These payloads include a PowerShell script, a privilege escalation tool known as "GodPotato," and the ransomware executable. Notably, the attackers have also made attempts to disable Windows Defender's monitoring capabilities. According to Sophos's analysis, the ransomware used in these attacks appears to have been "compiled from the leaked Lockbit 3.0 source code."

As of October 17th, 2023, over two weeks since Progress's advisory and hotfix release, a review on Shodan has identified nearly 2,000 internet-facing instances of WS_FTP servers that remain vulnerable to this exploit. Over 65% of these vulnerable servers are located within the United States.