Security
Headlines
HeadlinesLatestCVEs

Headline

Patch Now: Cybercriminals Set Sights on Critical IBM File Transfer Bug

A vulnerability with a 9.8 CVSS rating in IBM’s widely deployed Aspera Faspex offering is being actively exploited to compromise enterprises.

DARKReading
#vulnerability#web#windows#linux#red_hat#ibm

A critical bug in IBM’s popular Aspera Faspex file transfer stack that allows arbitrary code execution is catching the eye of increasing numbers of cybercriminals, including ransomware gangs, as organizations fail to patch.

Months after IBM released a patch for the critical vulnerability, it’s being exploited in the wild, researchers with Rapid7 stressed this week, noting that one of its customers was very recently compromised by the bug, tracked as CVE-2022-47986. Immediate action is needed, the researchers said.

“We strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur,” Caitlin Condon, senior manager of security research at Rapid7, warned in a blog post.

Under the Hood of a 9.8 CVSS IBM Vulnerability

IBM Aspera Faspex is a cloud-based file exchange application that utilizes the Fast Adaptive and Secure Protocol (FASP) to allow organizations to transfer files at higher speeds than would be achieved over ordinary TCP-based connections. The Aspera service is used by large organizations like Red Hat and the University of California, according to Enlyft, and is so lauded that it has literally won an Emmy.

The vulnerability exists in Faspex’s version 4.4.2 Patch Level 1, and carries a 9.8 out of 10 on the CVSS vulnerability-severity scale.

“By sending a specially crafted obsolete API call,” IBM explained in a security bulletin published on Jan. 26, an attacker could remotely deploy their own code onto any target system running Faspex.

The bug was first reported to IBM back on Oct. 6, 2022, and remedied on Dec. 8, in 4.4.2 Patch Level 2.

Exploitation activity began shortly after the patch was issued earlier this year, when the IceFire ransomware group shifted from targeting Windows to Linux systems. In doing so, it encountered a technical problem: Windows is everywhere, but Linux is most often run on servers. For that reason, they shifted to a new intrusion method for that environment: exploiting CVE-2022-47986.

In the time since, other cybercriminal outfits have pounced on this easy yet powerful vulnerability. In February, an unknown threat actor used it to deploy Buhti ransomware, after the Shadowserver Foundation picked up on live attempts.

Why Can’t Everyone Just Patch Already?

Rarely in life do severe problems have instant remedies, yet CVE-2022-47986 is utterly amenable with a simple upgrade to Patch Level 2, or the newest Patch Level 3, released March 20, according to Condon. Why, with such a simple solution just a few clicks away, is any organization still vulnerable?

Negligence may be the answer in many cases. “Folks don’t necessarily have consistent regular patch cycles,” Condon tells Dark Reading. “We’re seeing vulnerable software and appliances still exposed to the Internet after months and sometimes years.” Indeed, as of last month, there were nearly 140 instances of Aspera Faspex exposed on the Web, she noted.

In certain cases, though, “I would not be surprised if this is difficult to patch,” Condon says. “A lot of our analysis involved simply trying to set up the software and get it to work. So whether it’s a complex stack or just software that is finicky when you set it up, that can also mean that it is difficult to patch.”

Companies that haven’t already patched, and can’t do so immediately, have limited options left to protect themselves. “Putting in a couple layers of defense there would be very helpful,” Condon says, and taking Aspera Faspex offline is absolutely crucial.

Ultimately, the only surefire fixes are to either patch or abandon the software outright, she adds.

“We’re aware that when we say ‘Hey, if you can’t patch, shut it down,’ that’s not necessarily practical for everyone,” she explains. “So at the very least, take it off the public Internet, and put any other controls you can think of in place.”

Related news

Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code

The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a

Iranian Government-Backed Hackers Targeting U.S. Energy and Transit Systems

An Iranian government-backed actor known as Mint Sandstorm has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022. "This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align

Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation

Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems. This entails the abuse of CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot), Fortinet FortiGuard Labs said in a report published this week. CVE-2022-46169 relates to a critical

IceFire Ransomware Portends a Broader Shift From Windows to Linux

IceFire has changed up its OS target in recent cyberattacks, emblematic of ransomware actors increasingly targeting Linux enterprise networks, despite the extra work involved.

IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks

A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8), according to

U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows - CVE-2022-47986 (CVSS score: 9.8) - IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 (CVSS score: 6.8) - Mitel MiVoice Connect Code Injection

CVE-2022-47986: IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-

IBM Aspera Faspex 4.4.1 could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel