Media Coverage

You can’t say IBM didn’t warn us. On Jan. 26, 2023, Big Blue warned us of multiple security vulnerabilities in its ultrafast Aspera Faspex file transfer software. In particular, CVE-2022-47986, with a Common Vulnerability Scoring System (CVSS) critical rating of 9.8, is as bad a security hole as you can get. Making matters worse, the bug’s discoverers, security company Assetnote published a blog post on the Aspera Faspex vulnerability a week later. In it, they explained how an unauthenticated attacker could exploit it to execute arbitrary commands. Now in an ideal world, this would just be a good teaching moment. In it, they explain how a remote attacker can exploit a YAML deserialization flaw for arbitrary code execution using specially crafted API calls to a now obsolete API call Guess what? We don’t live in such a world. The non-profit Shadowserver Foundation Internet group reported seeing exploitation attempts in early February. The security company Rapid7 reported that it had discovered multiple exploitation incidents, including its use in the Linux and Windows IceFire ransomware campaign. This is a classic example of a solved security problem being ignored by administrators until it blew up in their faces. Specifically, IBM has identified affected products as Aspera Faspex 4.4.2 Patch Level 1 and earlier versions. The vulnerability is addressed in version 4.4.2 Patch Level 2. So you need to immediately update your software to the latest patch level to safeguard your systems. That’s it, kids.

Finding Exploitation Attempts To identify potential exploitation attempts, look at your logfiles in the default directory: /opt/aspera/faspex/log. If you see anything about the PackageRelayController#relay_package, look closely and treat it suspiciously. 

Fresh warnings are sounding about the risk posed to users of unpatched IBM-built enterprise file transfer software as ransomware-wielding attackers continue to launch exploit attempts. The IBM Aspera Faspex file-exchange application is a widely adopted enterprise file-exchange application with a reputation for being able to secure and quickly move large files. Security experts warn that a flaw patched in the software by IBM on Dec. 8, 2022, which can be used to sidestep authentication and remotely exploit code, is being actively abused, including by multiple groups of attackers wielding crypto-locking malware. While the flaw was patched in December, IBM didn’t appear to have immediately detailed the vulnerability – one of many – fixed in that update. In a Jan. 26 security alert, IBM said that the flaw, designated CVE-2022-47986 and given a base CVSS score of 9.8, “could allow a remote attacker to execute arbitrary code on the system … by sending a specially crafted obsolete API call.” Malicious activity tracking group Shadowserver on Feb.13 warned that it was seeing active, in-the-wild attempts to exploit CVE-2022-47986 in vulnerable versions of Aspera Faspex. Software developer Raphael Mendonça reported Feb. 16 that a group called BuhtiRansom was “encrypting multiple vulnerable servers with CVE-2022-47986.” Buhti is a relatively new ransomware group that Palo Alto’s Unit 42 threat intelligence group has seen using crypto-locking malware written in the Go language that infects Linux systems. Targeting file transfer software or appliances is not a new tactic for ransomware groups. 

A critical bug in IBM’s popular Aspera Faspex file transfer stack that allows arbitrary code execution is catching the eye of increasing numbers of cybercriminals, including ransomware gangs, as organizations fail to patch. Months after IBM released a patch for the critical vulnerability, it’s being exploited in the wild, researchers with Rapid7 stressed this week, noting that one of its customers was very recently compromised by the bug, tracked as CVE-2022-47986. IBM Aspera Faspex is a cloud-based file exchange application that utilizes the Fast Adaptive and Secure Protocol (FASP) to allow organizations to transfer files at higher speeds than would be achieved over ordinary TCP-based connections. The Aspera service is used by large organizations like Red Hat and the University of California. The vulnerability exists in Faspex’s version 4.4.2 Patch Level 1, and carries a 9.8 out of 10 on the CVSS vulnerability-severity scale. Exploitation activity began shortly after the patch was issued earlier this year, when the IceFire ransomware group shifted from targeting Windows to Linux systems. In doing so, it encountered a technical problem: Windows is everywhere, but Linux is most often run on servers. For that reason, they shifted to a new intrusion method for that environment: exploiting CVE-2022-47986. In the time since, other cybercriminal outfits have pounced on this easy yet powerful vulnerability. In February, an unknown threat actor used it to deploy Buhti ransomware, after the Shadowserver Foundation picked up on live attempts.

Threat actors are targeting multiple known software vulnerabilities in IBM Aspera Faspex file transfer service. One vulnerability, CVE-2022-47986, is a pre-authentication YAML deserialization vulnerability in the Ruby on Rails code that is ranked 9.3 in severity. Aspera Faspex is used by large organizations, including American Airlines and BT Sport.  IBM published an advisory for multiple security issues found in the platform on Jan. 26, which includes CVE-2022-47986. The flaw in Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a threat actor to remotely execute arbitrary code on the system. The advisory also included a system update that removed the obsolete API call. However, some organizations may have failed to promptly patch the vulnerability, leaving the bug open to exploit. According to Rapid7 research, details on the vulnerabilities and a working proof-of-concept code were publicly released in February. Since that time, researchers have observed multiple reports of exploitation of these flaws, including an ongoing IceFire ransomware campaign. The threat actors behind IceFire malware previously focused on targeting Windows platforms but have since expanded their targets to include Linux devices. The group follows other “big-game hunting” ransomware families, such as double extortion, large enterprise targets, persistence mechanisms, and the deletion of log files to evade analysis. Previously known exploits date as far back as Feb. 13. ShadowServer data shows there are approximately 50 servers still unpatched. Unpatched vulnerabilities have led to a host of exploits, particularly in the last six months. The Fortra GoAnywhere MFT managed file transfer application is the latest target. Data from February estimated that over 1,000 on-premises instances were vulnerable to the remote code injection bug. Since that time, Clop ransomware actors have claimed multiple victims, including 1 million patients tied to Community Health Systems in Tennessee. The attacks mirror earlier exploits of the Accellion File Transfer Application

Whilst we did have a few cool new modules added this week, one particularly interesting one was a Fortinet FortiNAC vulnerability, CVE-2022-39952, that was added in by team member Jack Heysel. This module exploits an unauthenticated RCE in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7 to gain root level access to affected devices. This bug has seen active exploitation in the wild from several threat feeds such as ShadowServer at https://twitter.com/Shadowserver/status/1628140029322362880, so definitely patch if you haven’t done so already.

Previous U.S. approaches to cyber strategy have treated technology security largely as fixed in nature—working under the assumption that the relative vulnerability of software products, hardware devices, and systems is predetermined, something for policymakers to maneuver around rather than to shape. This comes from a recognition of the difficulties inherent in cybersecurity: Patching vulnerabilities is reliably slow and incomplete, companies face incentives to prioritize time to market over security, and vulnerabilities are uniformly inevitable, no matter the precautions taken. But approaching cybersecurity as competition over a static terrain is a mistake—and strategies that merely accept the given circumstances of cyberspace compound that error.  The new 2023 National Cybersecurity Strategy (NCS) departs from the previous 2018 National Cyber Strategy in two important ways. First, the new strategy calls to “rebalance the responsibility” of defending cyberspace, moving away from end users and toward the “most capable and best-positioned actors,” including owners and operators of key technologies and infrastructures. Second, it seeks to “realign incentives” through various regulatory, grantmaking, and budgetary measures.  One of the most important aspects of the terrain of cyberspace is the layout and security of the internet, as determined by the overlapping national and global networks that comprise it. As this layout continues to evolve, the role of private technology firms—especially cloud service providers in running it—has grown considerably. The strategy correctly connects greater cybersecurity with the openness of online networks, but it stops short of making that connection meaningful. Tangible progress toward a more open, secure, interoperable internet would combat the structural influence of prolific cyber threats and better enable the open market of Western security researchers to identify and combat these harms. Operational goals about the cybersecurity of internet technologies can and should flow from normative debates about the future of the internet. Openness and integrity aren’t just values: Purely through a security lens, they create space for independent researchers, small companies, and civil society groups to play outsized roles in rapidly detecting and mitigating threats to networks and users. Preserving openness and placing power in the hands of users rather than institutions has enabled community-led security efforts like the Shadowserver Foundation and the monitoring and open-source intelligence work of the Digital Forensic Research Lab and Bellingcat. Protecting the open internet is in America’s national interest and advances its core cybersecurity goals as much as, if not more than, prioritizing operational superiority over its adversaries.

In less than a month, Microsoft will stop supporting Exchange Server 2013. There will be no more security updates for found vulnerabilities, Microsoft has announced again . The mail server software appeared on January 9, 2013 and introduced a completely new “servicing model”, which no longer used Service Packs and Update Rollups, but worked with Cumulative Updates. Over the past year, Microsoft has repeatedly warned that after April 11, it will no longer release patches and bug fixes for Exchange Server 2013, technical support, or time zone updates. Some estimates state that there are three hundred thousand Exchange servers on the Internet. According to the Shadowserver Foundation, more than 71,000 of its servers contain a known vulnerability. Organizations that are still working with Exchange Server 2013 are urged by Microsoft to switch to Exchange Server 2019 or Exchange Server Online as soon as possible. Last month, the French government announced that many of the attacks it investigated exploited vulnerabilities in mail server software.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.The list of vulnerabilities is below –

• CVE-2022-35914 (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability
• CVE-2022-33891 (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability
• CVE-2022-28810 (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

The most critical of the three is CVE-2022-35914, which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI, an open source asset and IT management software package. The exact specifics surrounding the nature of attacks are unknown, but the Shadowserver Foundation in October 2022 noted that it has seen exploitation attempts against its honeypots. Since then, a cURL-based one-line proof of concept (PoC) has been made available on GitHub and a “mass” scanner has been advertised for sale, VulnCheck security researcher Jacob Baines said in December 2022.

An information base on the vulnerabilities of Internet of Things devices was created as part of the VARIoT project, which was coordinated by the NASK National Research Institute. Thanks to the work of scientists, everyone can easily check whether the equipment they use is vulnerable to cybercriminal attacks. The Internet of Things (IoT) is a concept based on creating a network of devices that exchange data with each other. The developing IoT market means not only convenience for the end user, but also brings many benefits for the economy, creating new areas of device application, and what is more – it has the potential for development in virtually all its sectors, from energy, through telecommunications, to health care. An increasing number of devices connected to the Internet of Things – e.g. electronics and household appliances, medical devices, cars – and a significant increase in network traffic, however, will not be without impact on cybersecurity. The VARIoT project (“Vulnerability and Attack Repository for IoT”) was implemented by a consortium of five institutions: NASK – PIB (coordinator), Stichting The Shadowserver Foundation Europe (Shadowserver, Netherlands), Security Made In Letzebuerg GIE (SMILE, Luxembourg), Institut Mines -Télécom (IMT, France), Mondragon Goi Eskola Politeknikoa Jose Maria Arizmendiarrieta S COOP (MGEP, Spain). The main task of NASK specialists in the project was to create a universal database of information on vulnerabilities and exploits of IoT devices.  The effects of the work of experts involved in the project will be useful to network owners, specialists who deal with cybersecurity research or CSIRT teams.

Microsoft says admins should remove some previously recommended antivirus exclusions for Exchange servers to boost the servers’ security. As the company explained, exclusions targeting the Temporary ASP.NET Files and Inetsrv folders and the PowerShell and w3wp processes are not required since they’re no longer affecting stability or performance. However, admins should make a point out of scanning these locations and processes because they’re often abused in attacks to deploy malware. “Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues,” the Exchange Team said. This comes after threat actors have been using malicious Internet Information Services (IIS) web server extensions and modules to backdoor unpatched Microsoft Exchange servers worldwide. Redmond also recently urged customers to keep on-premises Exchange servers up-to-date by applying the latest Cumulative Update (CU) to have them ready to deploy emergency security updates. It is also recommended to always run the Exchange Server Health Checker script after deploying updates to detect common configuration issues or other issues that can be fixed with a simple environment configuration change. As security researchers at the Shadowserver Foundation found in January, tens of thousands of Internet-exposed Microsoft Exchange servers (over 60,000 at the time) are still vulnerable to attacks leveraging ProxyNotShell exploits.