Critical Vulnerability in IBM Aspera Faspex Allows Ransomware Attacks: Urgent Patching Required

Critical Vulnerability in IBM Aspera Faspex Allows Ransomware Attacks: Urgent Patching Required

Security researchers have warned of a critical vulnerability in IBM Aspera Faspex, a file-exchange application that large organizations use to transfer large files at high speeds. The vulnerability, tracked as CVE-2022-47986, makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The severity rating of the vulnerability is 9.8 out of a possible 10, indicating that the damage caused by the exploitation of the vulnerability could be severe.

Threat actors are exploiting the vulnerability to install ransomware on servers, which can lead to data loss and financial losses for organizations. The IceFire ransomware group is exploiting the vulnerability to install a Linux version of its file-encrypting malware. Since phishing attacks are harder to pull off on Linux servers, the group has pivoted to the IBM vulnerability to spread its Linux version. The vulnerability is also being exploited to install ransomware known as Buhti.

IBM has already patched the vulnerability in January, but security researchers have reported that exploitation attempts are still ongoing. Rapid7, a security firm, recently responded to an incident in which a customer was breached using the vulnerability. The firm strongly recommends patching the vulnerability on an emergency basis, without waiting for a typical patch cycle to occur.

If you use Aspera Faspex in your organization, it's crucial to update the software to patch the vulnerability immediately. IBM has published an advisory for multiple security issues affecting its Aspera Faspex software, including CVE-2022-47986. Vulnerability details and working proof-of-concept code have been available since February, and there have been multiple reports of exploitation since then.

To check if your organization is exposed to the vulnerability, InsightVM and Nexpose customers can assess their exposure with an authenticated vulnerability check available as of the February 17, 2023 content release. A remote vulnerability check was released on February 27, 2023, with accuracy improvements released on March 28, 2023. Additionally, monitoring log files for suspicious entries related to PackageRelayController#relay_package in the folder /opt/aspera/faspex/log can help detect potential attacks.

By taking immediate action to patch the vulnerability and monitor log files, organizations can protect their servers from ransomware attacks and prevent potential data loss and financial damage.