Hackers seen exploiting bugs in browsers and popular file transfer tool

A vulnerability affecting a widely used tool embedded in web browsers and a separate bug in a popular file transfer tool are being exploited by hackers, according to both government officials and cybersecurity experts.

The Cybersecurity and Infrastructure Security Agency (CISA) warned on Monday that hackers are exploiting CVE-2023-5217 — a vulnerability affecting Google’s Chrome browser, Mozilla’s Firefox and more.

Google researchers first published information about the bug last week and said it was being exploited by unnamed commercial spyware vendors. Google said it was keeping information about the bug restricted so that users had a chance to install a fix.

Like another issue discovered last month, the vulnerability affects a media processing tool embedded within browsers. Initially the flaw only appeared to affect Google products, but other browser makers identified the same problem, with Mozilla publishing its own advisory that rated CVE-2023-5217 as critical.

Specifically, the new bug affects an open source tool known as “libvpx.” Besides browsers, the code can be found in many other internet-based platforms, but it is unclear whether the vulnerability affects anything beyond browsers. The similar issue discovered last month affected the “libwebp” tool.

The flaws in both tools have reignited concerns about the security of open source software, due to the ubiquity of such code across a variety of products.

The issue is so dire that the White House held a summit last month on the topic, unveiling a roadmap for how the government plans to address it.

WS_FTP Server exploited

Cybersecurity experts also are warning this week about the exploitation of flaws in a popular file transfer tool. Progress Software — the company behind the widely breached MOVEit file transfer tool — said last week that another one of its products, WS_FTP Server, has several vulnerabilities that should be patched immediately.

Initially, experts were heartened to discover that there was no proof-of-concept exploit available and no evidence of exploitation of CVE-2023-40044 — the most critical of the vulnerabilities disclosed

But by Saturday, incident response teams at cybersecurity company Rapid7 reported the first instances of exploitation. Several other security experts have said ransomware gangs are seizing on the vulnerability.

“We saw similar attacker behavior across the incidents we observed over the weekend, which may indicate that a single adversary was behind the activity,” Caitlin Condon, head of vulnerability research at Rapid7, told Recorded Future News. “We also have not seen any data exfiltration so far.”

Condon noted that there was no evidence yet that the vulnerability was a target of the Clop ransomware gang, which has used bugs in several file transfer tools to steal data from dozens of governments, schools and major companies.

In a blog post, Condon explained that in the evening hours of September 30, Rapid7 observed exploitation in multiple customer systems. The alerts came within minutes of each other and the process was identical across all instances.

BleepingComputer confirmed on Monday that a proof-of-concept (PoC) exploit for CVE-2023-40044 was published by security researchers on X (formerly Twitter) this weekend. A spokesperson for Progress Software took issue with the unnamed researcher who published the PoC.

“We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on Sept. 27. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch,” the spokesperson told Recorded Future News.

“We are not aware of any evidence that these vulnerabilities were being exploited prior to that release. Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers. We are encouraging all WS_FTP server customers to patch their environments as quickly as possible.”

They added that while the company works with “responsible third-party research experts” on cybersecurity, it hopes that the community will “discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors.”

John Hammond, principal security researcher for the Huntress security platform, said it has less than 100 endpoints under its management that make use of the WS_FTP service but confirmed that exploitation was occurring. In at least one instance, Huntress saw actors trying to use tools to maintain access to compromised systems.

There are differing views on how many vulnerable systems are out there. Assetnote, the security company that discovered and reported the issue, said there “are about 2.9k hosts on the internet that are running WS_FTP (and also have their webserver exposed, which is necessary for exploitation).”

“Most of these online assets belong to large enterprises, governments and educational institutions,” Assetnote added.

BleepingComputer backed that figure with a search on research tool Shodan, which showed less than 2,000 devices running WS_FTP Server that are currently available over the Internet.

Researchers at security firm Censys said on Monday that the number may be even lower.

“We discovered that out of the 325 WS_FTP servers with this HTTP service running, we only found that 91 hosts (28%) have disabled the Ad Hoc Transfer module,” they said.

“Compared to the total number of WS_FTP servers running the FTP and SCP interface, which total over 4,000 hosts, the number of potentially vulnerable servers is much lower than expected, which is not the worst news.”