Sophos X-Ops incident responders say they have observed ransomware
threat actors exploiting a recently-disclosed vulnerability in Progress
Software’s WS_FTP servers. Progress Software released a fix for the
vulnerability in September.
The attacks by the Reichsadler Cybercrime Group, which target Windows systems, start with w3p3 (IIS component), "GodPotato" (an open-source privilege-escalation tool), then LB3 (ransomware payload crafted using an acquired copy of the LockBit 3.0 ransomware builder.) Make sure that you've updated your WS_FTP server to the latest version, then find an alternative to FTP file transfers.
Will this be another MoveIT-like bug from the same manufacturer? It could depend on whether the same IT teams purchase from the same vendors. If you look for the WS_FTP server strings in Shodan, you’ll find about 1800 WS FTP servers listening on port 21. Does that mean there are 1800 targets? Could be.
Read more in:
- www.scmagazine.com: WS_FTP servers targeted in ransomware attacks
- www.infosecurity-magazine.
- www.bleepingcomputer.com: Ransomware attacks now target unpatched WS_FTP servers
- infosec.exchange: Sophos X-Ops
- community.progress.com: WS_FTP Server Critical Vulnerability - (September 2023)
No comments:
Post a Comment