IBM’s Aspera Faspex file transfer software is being exploited by ransomware groups to target businesses. The software is popular for its quick and secure transfer of large files. However, security experts warn that an unpatched flaw in the software, identified as CVE-2022-47986, is being actively exploited by hackers to bypass authentication and remotely execute code.
Vulnerability Exploited by Ransomware Groups
Despite IBM fixing the flaw on December 8, 2022, it did not immediately disclose the vulnerability. The flaw was only detailed in a security advisory released on January 26, 2023, which warned that the vulnerability could allow a remote attacker to execute arbitrary code in the system. The flaw has a high score of 9.8 on the Common Vulnerability Scoring System (CVSS) scale.
The Shadowserver malicious activity tracking group issued a warning on February 13, 2023, after observing active attempts to exploit the vulnerability in vulnerable versions of Aspera Faspex. Software developer Raphael Mendonça reported on February 16, 2023, that a group called BuhtiRansom had encrypted several vulnerable servers.
BuhtiRansom is a new ransomware group that uses ransomware written in the Go language to infect Linux systems. Victims are directed to pay the ransom through SatoshiDisk.com, a Bitcoin payment site hosted on a Cloudflare IP. The Unit 42 threat intelligence group at Palo Alto Networks identified BuhtiRansom and reported its ransomware activity.
Targeting File Transfer Software
Ransomware groups have targeted file transfer software or devices in the past to launch attacks. The Clop group has claimed responsibility for a recent large-scale attack campaign against users of GoAnywhere MFT, Fortra’s widely used file transfer software. The group exploited a zero-day vulnerability to target victims who had yet to patch the flaw, and it has claimed over 130 victims so far.
IBM urges users of Aspera Faspex to update their software to the latest version to address the vulnerability and prevent exploitation by hackers. Users should also implement multi-factor authentication and monitor their networks for any signs of unauthorized access.
