US HC3 issues sector alert warning of Progress Software WS_FTP critical vulnerabilities

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) unit published Friday a sector alert detailing the Progress Software WS_FTP critical vulnerabilities. The agency ‘encourages patching and upgrading of these devices to prevent serious damage’ to the healthcare and public health (HPH) sector.

“Progress Software, the maker of the MOVEit file transfer software which was widely exploited by the CL0P ransomware-as-a-service (Raas) group, has released a new advisory regarding multiple vulnerabilities in the WS_FTP Server, a file transfer product,” the HC3 alert said. “Two of the vulnerabilities were rated as critical and are being tracked as CVE-2023-40044, which can allow an attacker to execute remote commands, and as CVE-2023-4265, which is a directory traversal vulnerability.”

The agency identified that on Sept. 27, Progress Software released an advisory regarding multiple vulnerabilities in their globally-used file transfer software, the WS_FTP Server. “WS_FTP is reportedly used by thousands of IT teams, and two new critical vulnerabilities have been identified within it.” 

Maker of the MOVEit Transfer file-sharing platform, Progress Software faced reports In June that ‘several’ U.S. federal agencies have been affected in a global cyberattack that exploits a vulnerability affecting their MOVEit applications. 

“The vulnerabilities are being tracked as CVE-2023-40044 and CVE-2023-4265. CVE-2023-40044 affects versions prior to 8.7.4 and 8.8.2, allowing a pre-authenticated attacker to leverage a [dot]NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system,” according to the HC3 alert. “CVE-2023-4265 is a directory traversal vulnerability that impacts the same versions. If successfully exploited, an attacker could leverage this to perform file operations (delete, rename, rmdir, mkdir) on files and folders that are outside of the authorized WS_FTP path. Additionally, the attacker could escape the WS_FTP server file structure and perform the same operations on the operating system.” 

The remaining reported vulnerabilities include CVE-2023-40045 (CVSS 8.3) reflected XSS in the WS_FTP Server’s ad hoc transfer module; CVE-2023-40046 (CVSS 8.2) SQL injection vulnerability in the WS_FTP Server manager interface; CVE-2023-40047 (CVSS 8.3) Stored XSS vulnerability in WS_FTP Server’s Management module and CVE-2023-40048 (CVSS 6.8) cross-site request forgery vulnerability in WS_FTP. It also covered CVE-2022-27665 (CVSS 6.1) reflected XSS in Progress Ipswitch WS_FTP Server 8.6.0, and CVE-2023-40049 (CVSS 5.3) file enumeration vulnerability in the ‘WebServiceHost’ directory.  

The HC3 alert pointed out that recent operations conducted by the CL0P ransomware group, which are believed to have started in May 2023, actively targeted a zero-day vulnerability in Progress Software’s MOVEit file transfer application. The vulnerability is tracked as CVE-2023-34362 and the group was successfully able to compromise thousands of organizations worldwide, including the healthcare sector. 

“HC3 strongly encourages all users to follow the manufacturer’s recommendation and upgrade to the highest version available (8.8.2) to prevent any damage from occurring against the HPH sector,” the alert said. “Organizations that are not able to update immediately can still disable the WS_FTP Server Ad hoc Transfer Module.”

The HC3 also published Friday an analyst note detailing LokiBot malware, which despite its apolitical targeting of critical infrastructure, the malware’s adverse effect on the HPH sector shows its reach. 

“Primarily targeting Windows devices and Android phones, its capabilities include logging keystrokes, capturing screenshots, and stealing everything from email credentials, payment card data, and cryptocurrency wallet passwords, to the cookies and system data needed to bypass multi-factor authentication,” the HC3 detailed. “These functionalities, combined with continually updating their initial access methods, have made it easier and more efficient for threat actors to use the malware to spread and infect systems across all critical infrastructure sectors.” 

The agency warned that since LokiBot is an infostealer, its primary purpose is to steal user credentials from infected machines. “According to researchers, LokiBot is capable of stealing credentials from over 100 different clients. The impact of the theft of these credentials depends on their purpose.” 

Additionally, successful credential theft could allow an attacker to steal sensitive data, access other systems within an organization’s network, or achieve different purposes. In addition to this core infostealing functionality, LokiBot also incorporates modules that can be used for other purposes.

Last month, the HC3 released a threat brief outlining North Korean and Chinese cybercrime threats to the HPH sector. The document identifies China as the ‘most powerful cyber power in the region,’ and provides an overview of common cybercriminal features and characteristics.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.