IBM file transfer service under active exploit, security researchers warn

Dive Brief:

Threat actors are actively exploiting a vulnerability in IBM Aspera Faspex, a file-transfer service, almost four months after a patch was first made available, according to Rapid7.
“Rapid7 is aware of at least one recent incident where a customer was compromised via” the vulnerability, Caitlin Condon, senior manager of vulnerability research at Rapid7, said in a Tuesday blog post. This follows previous reports of exploitation, including the IceFire ransomware campaign which began earlier this month, according to SentinelOne.
The vulnerability, CVE-2022-47986, has a CVSS score of 9.8 and could allow a malicious actor to execute arbitrary code on the system, according to a security alert IBM released on Jan. 26.

Dive Insight:

This is the second high-profile, actively exploited vulnerability currently linked to a file-transfer service this year. Threat actors affiliated with the Clop ransomware group have claimed almost 200 victims by exploiting a vulnerability in Fortra’s GoAnywhere file-transfer service.

“In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur,” Condon said.

The vulnerability affects IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier, according to IBM. It does not affect Faspex 5.x and, while a patch is available for customers still using Faspex 4.x, IBM said it also encourages customers to upgrade to the latest version of the file-transfer service.

“IBM is working closely with its customers in connection with CVE-2022-47986 and urging them to apply the fix as soon as possible,” an IBM spokesperson said via email.

IBM issued a patch for CVE-2022-47986 on Dec. 8, 2022.

SentinelOne earlier this month said it observed new Linux versions of IceFire ransomware deployed in enterprise networks of multiple media and entertainment sector organizations. Researchers linked the intrusions to hosts running a vulnerable version of IBM Aspera Faspex.