IBM’s Aspera Faspex file-exchange software has been flagged as vulnerable to ransomware attack by security experts. A flaw patched in December 2022 was not immediately detailed by IBM but has since been designated CVE-2022-47986, which can be used to sidestep authentication and remotely exploit code.
Malicious activity trackers have reported seeing active attempts to exploit this vulnerability in vulnerable versions of Aspera Faspex.
BuhtiRansom, a relatively new ransomware group, has been encrypting multiple vulnerable servers with the flaw. Aspera Faspex users are advised to take their software offline immediately unless they have upgraded it to a patched version.
The flaw is a deserialization vulnerability in the Ruby on Rails code that exists in IBM Aspera Faspex version 4.4.2 running patch level 1 and earlier. The vulnerability is fixed by removing the API call, but users can also upgrade to Faspex 5.x, which does not have the flaw.
Rapid7 recommends that Aspera Faspex users should patch on an emergency basis, without waiting for a typical patch cycle to occur. Targeting file transfer software or appliances is not a new tactic for ransomware groups.
Buhti is not the only ransomware group targeting IBM’s file transfer software. SentinelOne’s threat intelligence division, SentinelLabs, has reported that IceFire, a ransomware group first spotted in March 2022, has been using the Aspera vulnerability to attack Linux systems.
Launching a ransomware attack against Linux “at scale” is more difficult than for Windows, because Linux tends to run on servers, making “typical infection vectors like phishing or drive-by download less effective.” Exploitable vulnerabilities help attackers sidestep such restrictions.
