Security News > 2023 > October > Now MOVEit maker Progress patches holes in WS_FTP

Infosec in brief Progress Software, maker of the mass-exploited MOVEit document transfer tool, is back in the news with more must-apply security patches, this time for another file-handling product: WS FTP. We're told this software's ad hoc transfer module and WS FTP's server management interface were found to have eight vulnerabilities, with CVSS severity scores ranging from 5.3 all the way to 10 out of 10.

At their most severe, all versions of WS FTP Server prior to 8.7.4 and 8.8.2 are vulnerable to a.NET deserialization attack from a pre-authenticated attacker.

Johnson Controls, a massive industrial control systems concern, has been hit by an equally massive ransomware attack that has reportedly taken a number of its systems offline and may even pose a national security risk.

Vc, the group behind the claimed attack, is a relative newcomer whose attacks have raised questions in the underground world.

While it hasn't confirmed the NTT Docomo attack and Sony incidents are linked, the security shop said it's investigating "Whether the Sony incident served as an intrusion vector for broader supply-chain compromise that enabled the group to illegally access the telecom operator's data."

Vc reportedly claimed to have abandoned trying to get Sony to pay a ransom and instead was looking for a buyer for 3.14GB of data stolen from the tech giant, but another individual released all the data while claiming Ransomed was lying about their attack.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/01/in_brief_infosec/