Ransomware, Vulnerability Management, Cloud Security

Unpatched IBM Aspera Faspex file transfer service under active attack

IBM logo

Threat actors are targeting multiple known software vulnerabilities in IBM Aspera Faspex file transfer service.

One vulnerability, CVE-2022-47986, is a pre-authentication YAML deserialization vulnerability in the Ruby on Rails code that is ranked 9.3 in severity.

At least one Aspera Faspex client was recently compromised through the critical vulnerability, according to Rapid7. Its researchers are urging all Aspera Faspex clients to patch “on an emergency basis without waiting for a typical patch cycle to occur,” as the platform is usually installed on the network perimeter.

“Because this is typically an internet-facing service and the vulnerability has been linked to ransomware group activity, we recommend taking the service offline if a patch cannot be installed right away,” Rapid7 warned.

Aspera Faspex is used by large organizations, including American Airlines and BT Sport. The IBM site notes the tool is designed as an alternative to FTP server software and helps reliably and securely transfer files.

IBM published an advisory for multiple security issues found in the platform on Jan. 26, which includes CVE-2022-47986. The flaw in Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a threat actor to remotely execute arbitrary code on the system.

And “by sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system,” IBM previously warned.

The advisory also included a system update that removed the obsolete API call. However, some organizations may have failed to promptly patch the vulnerability, leaving the bug open to exploit.

According to Rapid7 research, details on the vulnerabilities and a working proof-of-concept code were publicly released in February. Since that time, researchers have observed multiple reports of exploitation of these flaws, including an ongoing IceFire ransomware campaign. 

In early March, Linux versions of IceFire ransomware were observed being deployed within enterprise network intrusions of several global media and entertainment sector organizations by SentinelLabs. Forensics of these attacks suggest the attackers were deploying the ransomware through the critical Aspera Faspex flaw.

The threat actors behind IceFire malware previously focused on targeting Windows platforms but have since expanded their targets to include Linux devices. The group follows other “big-game hunting” ransomware families, such as double extortion, large enterprise targets, persistence mechanisms, and the deletion of log files to evade analysis.

The group’s prime targets include tech companies. SentinelLabs has also observed attacks against media and entertainment companies. Previously known exploits date as far back as Feb. 13. ShadowServer data shows there are approximately 50 servers still unpatched.

Unpatched vulnerabilities have led to a host of exploits, particularly in the last six months. The Fortra GoAnywhere MFT managed file transfer application is the latest target, with a number of entities successfully gaining access through an unpatched zero-day flaw in the platform.

Data from February estimated that over 1,000 on-premises instances were vulnerable to the remote code injection bug. Since that time, Clop ransomware actors have claimed multiple victims, including 1 million patients tied to Community Health Systems in Tennessee. The attacks mirror earlier exploits of the Accellion File Transfer Application.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.