Attacks on Maximum Severity WS_FTP Bug Have Been Limited — So Far

After an early flurry of exploit activity, attacks targeting a maximum-severity flaw that Progress Software disclosed in its WS_FTP Server file transfer product last week appear to have been somewhat limited so far.

However, that's no reason for organizations to delay patching the vulnerability as soon as possible, given how widely attackers exploited a similarly critical zero-day flaw that Progress reported in its MOVEit file transfer software in May.

Max Severity Bug

CVE-2023-40044 is a .NET deserialization vulnerability in WS_FTP that researchers have shown can be exploited with a single HTTPS POST and some specific multi-part data. Progress disclosed the bug on Sept. 27, with a recommendation for organizations to apply the company's update for it as soon as possible.

The bug is present in the optional Ad Hoc Transfer module of WS_FTP and affects all supported versions of the software. The flaw has a maximum possible severity score of 10.0 on the CVSS scale because of how easily exploitable it is and the fact that it enables an unauthenticated attacker to run remote commands on the WS_FTP Server's underlying operating system. CVE-2023-40044 was one of eight vulnerabilities that Progress disclosed last week.

Early PoCs and Exploit Activity

Proof-of-concept exploit code for the vulnerability became available soon after disclosure from Assetnote, the company that reported the vulnerability to Progress, and from others including "MCKSys Argentina," the security researcher who reported the zero-day to Progress earlier this year.

The PoCs contributed to some early exploit activity targeting the flaw. Rapid7, for instance, said it had observed exploitation of one or more of the WS_FTP vulnerabilities in multiple customer environments. The attacks happened in near simultaneous fashion and bore all the hallmarks of mass exploitation of an affected WS_FTP server. Rapid7 also reported seeing the same Burpsuite domain involved in all attacks and quickly theorized a single actor was likely behind the attacks.

In a technical analysis on Oct. 2, Rapid7 provided a detailed description of CVE-2023-40044 and how its researchers exploited the flaw. The security vendor assessed the vulnerability as being of potentially "very high" value for attackers.

Caitlin Condon, head of vulnerability research at Rapid7, says her company observed multiple instances of WS_FTP Server exploitation in customer environments on Saturday, Sept 30. "While the activity we saw bore the hallmarks of possible mass exploitation, it has fortunately so far been limited to September 30," she says. "All incidents included similar behavior, which may indicate that a single adversary was behind the activity we saw," Condon notes.

Rapid7 has not been able to link the attacks to any particular WS_FTP vulnerability but it is likely that at least some of the activity is attributable to CVE-2023-40044. "In at least one case Rapid7 observed, the Microsoft IIS error from a Windows event log shows the expected call stack from exploiting the deserialization vulnerability CVE-2023-40044," Condon noted. "CVE-2023-40044 is also the vulnerability most likely to yield server-side code execution directly." None of the attacks resulted in any data exfiltration and all incidents have been contained, she adds.

Limited in Number

Huntress Labs also reported observing some attacks targeting CVE-2023-40044 and other WS_FTP flaws. But as the company's senior security researcher John Hammond explains, the attacks have been limited in number so far. "Huntress has observed just less than a dozen attacks against WS_FTP and the CVE-2023-40044 vulnerability," Hammond says. The attacks have ranged "between just a simple nslookup DNS query to validate the code execution, to staging new payloads via forced downloads and installing persistence mechanisms."

Hammond says the exploit activity that Huntress observed appears to have been opportunistic in nature and indicative of attackers casting a wide net to see if they could snag any WS_FTP servers that are still vulnerable. "Anecdotally, we've noticed that the WS_FTP installations within our visibility look to be used primarily by financial institutions and healthcare providers," he notes. Huntress has provided indicators of compromise for the activity it observed.

Meanwhile, Internet monitoring firm Censys said that a search it conducted for vulnerable WS_FTP servers on the Internet showed there are substantially fewer of them than originally assumed. According to the firm, while there are over 4,000 Internet-accessible WS_FTP hosts, just 325 of them appear to have the Ad Hoc Transfer Module enabled. Of these, some 91 hosts had already disabled the service by Sept. 29. "The number of potentially vulnerable servers is much lower than expected, which is not the worst news," Censys said. Compared to systems exposed to the MOVEit vulnerability, of which there are still several thousand instances online, there are relatively fewer hosts running WS_FTP, Censys said.

In an emailed statement, Progress expressed disappointment over how quickly third-parties had released PoCs for the vulnerabilities disclosed last week. "This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch," the statement said. "We are not aware of any evidence that these vulnerabilities were being exploited prior to that release."