IN THE WILD — Ransomware crooks are exploiting IBM file-exchange bug with a 9.8 severity If you haven’t patched your Aspera Faspex server, now would be an excellent time.

Dan Goodin – Mar 29, 2023 12:24 am UTC EnlargeGetty Images reader comments 11 with Share this story Share on Facebook Share on Twitter Share on Reddit

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBMs proprietary FASPshort for Fast, Adaptive, and Secure Protocolto better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow thats similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10. Advertisement

On Tuesday, researchers from security firm Rapid7 said they recently responded to an incident in which a customer was breached using the vulnerability.

Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986, company researchers wrote. In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.

According to other researchers, the vulnerability is being exploited to install ransomware. Sentinel One researchers, for instance, said recently that a ransomware group known as IceFire was exploiting CVE-2022-47986 to install a newly minted Linux version of its file-encrypting malware. Previously, the group pushed only a Windows version that got installed using phishing emails. Because phishing attacks are harder to pull off on Linux servers, IceFire pivoted to the IBM vulnerability to spread its Linux version. Researchers have also reported the vulnerability is being exploited to install ransomware known as Buhti.

As noted earlier, IBM patched the vulnerability in January. IBM republished its advisory earlier this month to ensure no one missed it. People who want to better understand the vulnerability and how to mitigate potential attacks against Aspera Faspex servers should check posts here and here from security firms Assetnote and Rapid7. reader comments 11 with Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin Email dan.goodin@arstechnica.com Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars