Infosec in brief Progress Software, maker of the mass-exploited MOVEit document transfer tool, is back in the news with more must-apply security patches, this time for another file-handling product: WS_FTP.

We're told this software's ad hoc transfer module and WS_FTP's server management interface were found to have eight vulnerabilities, with CVSS severity scores ranging from 5.3 all the way to 10 out of 10.

At their most severe, all versions of WS_FTP Server prior to 8.7.4 and 8.8.2 are vulnerable to a .NET deserialization attack from a pre-authenticated attacker. If successful, the attacker could execute commands on the underlying host system, leveraging the other seven vulnerabilities, such as path traversal, XSS, SQL injection, missing cross-site request forgery protection, and the like. 

According to the Progress' website, WS_FTP is used by some high-profile customers, including Scientific American, clothing store H&M, and the The Denver Broncos American football team to name a few. Those companies, and the rest of the WS_FTP community, are being advised to update their installation immediately. Exploitation of these bugs could well lead to public-facing systems being hijacked, and IT networks infiltrated at a large scale.

For those who don't recall, a hole in Progress' MOVEit software allowed miscreants to break into at least 400 organizations so far. Progress is facing over a dozen lawsuits connected to the MOVEit security fiasco. The Cl0p ransomware gang notably exploited the flaw to swipe people's data.

Progress said it has seen no evidence that the WS_FTP vulnerabilities have been exploited in the wild, which is similar to what it said about another bug discovered in MOVEit in June. 

MOVEit attacks are ongoing as orgs fail to update their installations. Patches for WS_FTP are available for all supported versions, as well as a workaround for those who can't immediately fix the flaws. 

Johnson Controls hit by IT 'disruption'

Johnson Controls, a massive industrial control systems concern, has been hit by an equally massive ransomware attack that has reportedly taken a number of its systems offline and may even pose a national security risk. 

The afflicted business admitted to a "cybersecurity incident" in an SEC filing this week that multiple sources reported as a ransomware attack whose perpetrators made off with more than 27 terabytes of company data - neither of which Johnson has confirmed.  

"Johnson Controls International plc (the "Company") has experienced disruptions in portions of its internal information technology infrastructure and applications," the biz said, adding that other systems "are largely unaffected and remain operational." 

According to one cybersecurity researcher, a ransomware group called Dark Angels is behind the attack. The group is reportedly demanding a $51 million ransom from Johnson Controls. 

The US Department of Homeland Security is also reportedly concerned that some of the stolen data may include sensitive information about Uncle Sam's buildings, as Johnson handles physical security equipment for several important facilities.

Japanese ransomware attack triggers supply chain fears

A group that recently claimed to have leaked data stolen from Sony online has apparently struck again, claiming to have hit Japanese cell carrier NTT Docomo in what researchers fear could be a sign of a new supply chain attack.

Ransomed.vc, the group behind the claimed attack, is a relative newcomer whose attacks have raised questions in the underground world. But researchers at Resecurity are worried the miscreants may have used the Sony attack to sow seeds of future chaos. 

While it hasn't confirmed the NTT Docomo attack and Sony incidents are linked, the security shop said it's investigating "whether the Sony incident served as an intrusion vector for broader supply-chain compromise that enabled the group to illegally access the telecom operator's data." 

Ransomed.vc reportedly claimed to have abandoned trying to get Sony to pay a ransom and instead was looking for a buyer for 3.14GB of data stolen from the tech giant, but another individual released all the data while claiming Ransomed was lying about their attack. ®

https://www.theregister.com//2023/10/01/in_brief_infosec/