Update: Mass Exploitation Attempts Against WS_FTP Have Begun
Security researchers have detected a potential mass exploitation of vulnerabilities in Progress Software's WS_FTP Server. The researchers noticed evidence of exploitation on September 30, shortly after Progress released fixes for eight vulnerabilities in WS_FTP. The specific vulnerabilities being exploited were not specified, but it is believed that they are included in Progress' advisory. The attack chain appears to be uniform across all incidents, indicating a possible mass-scale exploitation attempt. The researchers have identified a single domain used in all exploit attempts, suggesting a single perpetrator. The volume of exploit attempts is currently low and not widely visible. The telemetry data indicates that thousands of hosts, including large enterprises and government institutions, are running the vulnerable software. Proof of concept code for one of the vulnerabilities began circulating online shortly after Progress released its advisory. Rapid7 advises users to upgrade to the latest version of WS_FTP and disable or remove the Ad Hoc Transfer module if using it.