Ransomware Groups Hit Unpatched IBM File Transfer SoftwareBuhti and IceFire Ransom Groups Tied to Attacks Targeting Vulnerable Servers
Fresh warnings are sounding about the risk posed to users of unpatched IBM-built enterprise file transfer software as ransomware-wielding attackers continue to launch exploit attempts.
See Also: 2022 Unit 42 Incident Response Report
The IBM Aspera Faspex file-exchange application is a widely adopted enterprise file-exchange application with a reputation for being able to secure and quickly move large files.
Security experts warn that a flaw patched in the software by IBM on Dec. 8, 2022, which can be used to sidestep authentication and remotely exploit code, is being actively abused, including by multiple groups of attackers wielding crypto-locking malware.
While the flaw was patched in December, IBM didn't appear to have immediately detailed the vulnerability - one of many - fixed in that update. In a Jan. 26 security alert, IBM said that the flaw, designated CVE-2022-47986 and given a base CVSS score of 9.8, "could allow a remote attacker to execute arbitrary code on the system … by sending a specially crafted obsolete API call."
Malicious activity tracking group Shadowserver on Feb.13 warned that it was seeing active, in-the-wild attempts to exploit CVE-2022-47986 in vulnerable versions of Aspera Faspex.
Software developer Raphael Mendonça reported Feb. 16 that a group called BuhtiRansom was "encrypting multiple vulnerable servers with CVE-2022-47986."
Buhti is a relatively new ransomware group that Palo Alto's Unit 42 threat intelligence group has seen using crypto-locking malware written in the Go language that infects Linux systems. Bitdefender has also seen the group using crypto-locking malware for Windows, written in Portable Executable format.
In February, the group was directing victims to pay their ransom via "SatoshiDisk[.]com, a bitcoin payment support site currently hosted on Cloudflare IP," reported malware researcher Brad Duncan, a Unit 42 threat intelligence analyst.
Targeting file transfer software or appliances is not a new tactic for ransomware groups. The Clop group in particular has taken credit for a large-scale attack campaign in recent months against users of Fortra's widely used managed file transfer software, GoAnywhere MFT. By exploiting a zero-day vulnerability - and more recently, victims who have yet to patch the flaw - the group appears to have claimed more than 130 victims.
Security firm Rapid7 this week recommended that Aspera Faspex users take their software offline immediately unless they have upgraded it to a patched version. "In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur," Caitlin Condon, Rapid7's senior manager for vulnerability research, said in a security alert.
The flaw is a deserialization vulnerability in the Ruby on Rails code that exists in IBM Aspera Faspex version 4.4.2 running patch level 1 and earlier. IBM fixed the vulnerability by removing the API call. Users can also upgrade to Faspex 5.x, which does not have the vulnerability.
IceFire Targets File Transfer Software
Buhti is not the only ransomware group tied to attacks against IBM's file transfer software. SentinelOne's threat intelligence division, SentinelLabs, on March 9 reported it had been seeing CVE-2022-47986 exploited by IceFire, a ransomware group first spotted in March 2022.
The group previously focused on attacking Windows systems, backed by double-extortion tactics and a penchant for big game hunting, meaning it looks for large victims who have the potential to pay bigger ransoms. "Previous reports indicate that IceFire targeted technology companies; SentinelLabs observed these recent attacks against organizations in the media and entertainment sector," it said. "IceFire has impacted victims in Turkey, Iran, Pakistan and the United Arab Emirates, which are typically not a focus for organized ransomware actors."
SentinelOne said that in the new campaign, the group for the first time began hitting Linux systems - via the Aspera vulnerability. While ransomware groups began developing exploits for Linux in earnest in 2021, the researchers say the trend didn't really take off until 2022, "when illustrious groups added Linux encryptors to their arsenal, including the likes of BlackBasta, Hive, Qilin, Vice Society - aka HelloKitty - and others."
Launching a ransomware attack against Linux "at scale" is more difficult than for Windows, the researchers said, because Linux tends to run on servers, meaning "typical infection vectors like phishing or drive-by download are less effective."
Exploitable vulnerabilities help attackers sidestep such restrictions. "Actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability," SentinelLabs said. Of course, the same can be said of the Buhti ransomware group.
Credit for discovering CVE-2022-47986 goes to security researchers Maxwell Garrett and Shubham Shah at continuous security platform Assetnote. They reported the flaw to IBM on Oct. 6, 2022, and released public details on Feb. 2, together with proof-of-concept exploit code.