Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)
Attackers are exploiting a critical vulnerability (CVE-2022-47986) in the IBM Aspera Faspex centralized file transfer solution to breach organizations.
About CVE-2022-47986
IBM Aspera Faspex is used by organizations to allow employees to quickly and securely exchange files with each other. (The files are uploaded to and downloaded from a centralized Aspera transfer server.)
CVE-2022-47986 is a YAML deserialization flaw that can be triggered by remote attackers sending a specially crafted obsolete API call. It affects IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier, and allows arbitrary code execution.
The problem, according to Rapid7’s security researcher Caitlin Condon, is that Aspera Faspex is typically installed on the network perimeter and – obviously – that some organizations haven’t plugged this particular security hole when IBM first made patches available.
Now, granted, its initial CVSS score (8.1) and the fact that it was the most highly scored vulnerability patched at the time might have had something to do with their decision not to patch quickly.
Unfortunately for them, the score was subsequently raised to 9.8 (out of 10) to reflect its real severity. But, more importantly, Max Garrett – the researcher who unearthed it – released technical details and PoC exploit code.
Exploiting CVE-2022-47986
The attackers started exploiting it almost immediately, and they haven’t stopped since.
In early March, SentinelOne researchers spotted attackers wielding the IceFire ransomware hitting Linux boxes of organizations in Turkey, Iran, Pakistan, and the United Arab Emirates. Greynoise recorded several exploitation attempts in the last month.
Rapid7’s Condon also says that they are aware of at least one recent incident where a customer was compromised via CVE-2022-47986.
The company has shared indicators of compromise that might come in handy to those who have been compromised but have yet to have ransomware unleashed on their systems (if deploying ransomware and not data exfiltration and extortion was the plan).
Enterprise admins are advised to upgrade their IBM Aspera Faspex server immediately and to look for – and act on – evidence of compromise.