A critical bug in IBM's Aspera Faspex file transfer stack, tracked as CVE-2022-47986, is catching the attention of cybercriminals, including ransomware gangs, as organizations fail to patch. Rapid7 researchers stress the urgent need for immediate action, with one of their customers recently being compromised by the bug. Caitlin Condon, senior manager of security research at Rapid7, recommends patching on an emergency basis, without waiting for a typical patch cycle to occur.
IBM Aspera Faspex is a cloud-based file exchange application that uses the Fast Adaptive and Secure Protocol (FASP) to enable organizations to transfer files at higher speeds than would be achieved over ordinary TCP-based connections. The service is utilized by large organizations like Red Hat and the University of California, according to Enlyft. The vulnerability exists in Faspex's version 4.4.2 Patch Level 1 and has a severity score of 9.8 out of 10 on the CVSS vulnerability-severity scale. IBM explained in a security bulletin published on Jan. 26 that an attacker could remotely deploy their own code onto any target system running Faspex by sending a specially crafted obsolete API call. The bug was first reported to IBM on Oct. 6, 2022, and fixed on Dec. 8, in 4.4.2 Patch Level 2.
Exploitation activity began shortly after the patch was issued earlier this year when the IceFire ransomware group shifted from targeting Windows to Linux systems. They encountered a technical problem and shifted to a new intrusion method for that environment: exploiting CVE-2022-47986. Since then, other cybercriminal outfits have exploited this easy yet powerful vulnerability. In February, an unknown threat actor used it to deploy Buhti ransomware after the Shadowserver Foundation picked up on live attempts.
The vulnerability can be easily remedied with a simple upgrade to Patch Level 2 or the newest Patch Level 3, released March 20, according to Condon. However, many organizations are still vulnerable due to negligence or inconsistent regular patch cycles. As of last month, there were nearly 140 instances of Aspera Faspex exposed on the Web. In some cases, Condon believes that the software may be difficult to patch due to its complex stack or finicky setup.
Companies that haven't patched and can't do so immediately have limited options left to protect themselves. Condon suggests putting in a couple of layers of defense and taking Aspera Faspex offline as absolutely crucial. Ultimately, the only surefire fixes are to either patch or abandon the software outright. Condon acknowledges that not everyone can shut down the software, so at the very least, she advises taking it off the public Internet and putting any other controls in place.