Media Coverage

One of the things we do at VulnCheck is n-day analysis. That can include analysis of well-known, deeply researched, and widely exploited vulnerabilities. When we tackle that type of issue, we aim to learn something new, novel, or, at the very least, interesting. We recently took that approach analyzing CVE-2022-1388. CVE-2022-1388 is an authentication bypass vulnerability affecting F5 Big-IP products. When CVE-2022-1388 was disclosed in May 2022, there were only a few thousand internet-facing affected systems. But there was no stopping the infosec hype train. Multiple research organizations published redacted proof of concepts, Kevin Beaumont was tweeting about honeypot exploitation, randoms were dropping exploit screenshots, and reporters were mistaking jokes about an inside job for reality. Eventually, most of the speculation and fear-mongering were put to bed by an excellent deep-dive analysis from Horizon3.ai. When all the hype died down, the vulnerability was quite well-known. It’s been featured in research write-ups. There’s a Metasploit module, and Greynoise tag. Shadow Server identifies the vulnerability in their honeypot network. It was even named one of the [top vulnerabilities in 2022, and added to the CISA KEV Catalog. What more could be said about this vulnerability? Well, if you don’t look, you’ll never know.

Rivian Automotive, Inc. (NASDAQ: RIVN) today announced it has hired Mike Johnson as its Chief Information Security Officer (CISO). Johnson joins Rivian from Fastly where he was CISO for over 3 years, securing the network and platform of the edge cloud company. Johnson’s cybersecurity career spans more than 25 years, starting with prototyping intrusion detection systems for battlefield networks. Prior to Fastly, he served as ride-sharing company Lyft’s first CISO. Before Lyft, he spent nine years at Salesforce in various roles, ultimately building and growing their world class Detection and Response organization. Johnson currently serves on the Board of Directors for the non-profit Shadowserver Foundation, which gathers and analyzes data on malicious Internet activity. He also co-hosts the CISO Series podcast and is a frequent guest on industry podcasts.

Diane Lye, Chief Information Officer, Rivian, said:
“Mike brings an impressive track record of building and leading Cybersecurity programs across multiple different industries and is a thought-leader in this rapidly evolving space. I am delighted that he has chosen to join Rivian at this time in our growth.”

Rivian designs, develops, and manufactures category-defining electric vehicles and accessories and sells them directly to customers in the consumer and commercial markets. 

You can’t say IBM didn’t warn us. On Jan. 26, 2023, Big Blue warned us of multiple security vulnerabilities in its ultrafast Aspera Faspex file transfer software. In particular, CVE-2022-47986, with a Common Vulnerability Scoring System (CVSS) critical rating of 9.8, is as bad a security hole as you can get. Making matters worse, the bug’s discoverers, security company Assetnote published a blog post on the Aspera Faspex vulnerability a week later. In it, they explained how an unauthenticated attacker could exploit it to execute arbitrary commands. Now in an ideal world, this would just be a good teaching moment. In it, they explain how a remote attacker can exploit a YAML deserialization flaw for arbitrary code execution using specially crafted API calls to a now obsolete API call Guess what? We don’t live in such a world. The non-profit Shadowserver Foundation Internet group reported seeing exploitation attempts in early February. The security company Rapid7 reported that it had discovered multiple exploitation incidents, including its use in the Linux and Windows IceFire ransomware campaign. This is a classic example of a solved security problem being ignored by administrators until it blew up in their faces. Specifically, IBM has identified affected products as Aspera Faspex 4.4.2 Patch Level 1 and earlier versions. The vulnerability is addressed in version 4.4.2 Patch Level 2. So you need to immediately update your software to the latest patch level to safeguard your systems. That’s it, kids.

Finding Exploitation Attempts To identify potential exploitation attempts, look at your logfiles in the default directory: /opt/aspera/faspex/log. If you see anything about the PackageRelayController#relay_package, look closely and treat it suspiciously. 

Fresh warnings are sounding about the risk posed to users of unpatched IBM-built enterprise file transfer software as ransomware-wielding attackers continue to launch exploit attempts. The IBM Aspera Faspex file-exchange application is a widely adopted enterprise file-exchange application with a reputation for being able to secure and quickly move large files. Security experts warn that a flaw patched in the software by IBM on Dec. 8, 2022, which can be used to sidestep authentication and remotely exploit code, is being actively abused, including by multiple groups of attackers wielding crypto-locking malware. While the flaw was patched in December, IBM didn’t appear to have immediately detailed the vulnerability – one of many – fixed in that update. In a Jan. 26 security alert, IBM said that the flaw, designated CVE-2022-47986 and given a base CVSS score of 9.8, “could allow a remote attacker to execute arbitrary code on the system … by sending a specially crafted obsolete API call.” Malicious activity tracking group Shadowserver on Feb.13 warned that it was seeing active, in-the-wild attempts to exploit CVE-2022-47986 in vulnerable versions of Aspera Faspex. Software developer Raphael Mendonça reported Feb. 16 that a group called BuhtiRansom was “encrypting multiple vulnerable servers with CVE-2022-47986.” Buhti is a relatively new ransomware group that Palo Alto’s Unit 42 threat intelligence group has seen using crypto-locking malware written in the Go language that infects Linux systems. Targeting file transfer software or appliances is not a new tactic for ransomware groups. 

A critical bug in IBM’s popular Aspera Faspex file transfer stack that allows arbitrary code execution is catching the eye of increasing numbers of cybercriminals, including ransomware gangs, as organizations fail to patch. Months after IBM released a patch for the critical vulnerability, it’s being exploited in the wild, researchers with Rapid7 stressed this week, noting that one of its customers was very recently compromised by the bug, tracked as CVE-2022-47986. IBM Aspera Faspex is a cloud-based file exchange application that utilizes the Fast Adaptive and Secure Protocol (FASP) to allow organizations to transfer files at higher speeds than would be achieved over ordinary TCP-based connections. The Aspera service is used by large organizations like Red Hat and the University of California. The vulnerability exists in Faspex’s version 4.4.2 Patch Level 1, and carries a 9.8 out of 10 on the CVSS vulnerability-severity scale. Exploitation activity began shortly after the patch was issued earlier this year, when the IceFire ransomware group shifted from targeting Windows to Linux systems. In doing so, it encountered a technical problem: Windows is everywhere, but Linux is most often run on servers. For that reason, they shifted to a new intrusion method for that environment: exploiting CVE-2022-47986. In the time since, other cybercriminal outfits have pounced on this easy yet powerful vulnerability. In February, an unknown threat actor used it to deploy Buhti ransomware, after the Shadowserver Foundation picked up on live attempts.

Threat actors are targeting multiple known software vulnerabilities in IBM Aspera Faspex file transfer service. One vulnerability, CVE-2022-47986, is a pre-authentication YAML deserialization vulnerability in the Ruby on Rails code that is ranked 9.3 in severity. Aspera Faspex is used by large organizations, including American Airlines and BT Sport.  IBM published an advisory for multiple security issues found in the platform on Jan. 26, which includes CVE-2022-47986. The flaw in Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a threat actor to remotely execute arbitrary code on the system. The advisory also included a system update that removed the obsolete API call. However, some organizations may have failed to promptly patch the vulnerability, leaving the bug open to exploit. According to Rapid7 research, details on the vulnerabilities and a working proof-of-concept code were publicly released in February. Since that time, researchers have observed multiple reports of exploitation of these flaws, including an ongoing IceFire ransomware campaign. The threat actors behind IceFire malware previously focused on targeting Windows platforms but have since expanded their targets to include Linux devices. The group follows other “big-game hunting” ransomware families, such as double extortion, large enterprise targets, persistence mechanisms, and the deletion of log files to evade analysis. Previously known exploits date as far back as Feb. 13. ShadowServer data shows there are approximately 50 servers still unpatched. Unpatched vulnerabilities have led to a host of exploits, particularly in the last six months. The Fortra GoAnywhere MFT managed file transfer application is the latest target. Data from February estimated that over 1,000 on-premises instances were vulnerable to the remote code injection bug. Since that time, Clop ransomware actors have claimed multiple victims, including 1 million patients tied to Community Health Systems in Tennessee. The attacks mirror earlier exploits of the Accellion File Transfer Application

Whilst we did have a few cool new modules added this week, one particularly interesting one was a Fortinet FortiNAC vulnerability, CVE-2022-39952, that was added in by team member Jack Heysel. This module exploits an unauthenticated RCE in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7 to gain root level access to affected devices. This bug has seen active exploitation in the wild from several threat feeds such as ShadowServer at https://twitter.com/Shadowserver/status/1628140029322362880, so definitely patch if you haven’t done so already.

Previous U.S. approaches to cyber strategy have treated technology security largely as fixed in nature—working under the assumption that the relative vulnerability of software products, hardware devices, and systems is predetermined, something for policymakers to maneuver around rather than to shape. This comes from a recognition of the difficulties inherent in cybersecurity: Patching vulnerabilities is reliably slow and incomplete, companies face incentives to prioritize time to market over security, and vulnerabilities are uniformly inevitable, no matter the precautions taken. But approaching cybersecurity as competition over a static terrain is a mistake—and strategies that merely accept the given circumstances of cyberspace compound that error.  The new 2023 National Cybersecurity Strategy (NCS) departs from the previous 2018 National Cyber Strategy in two important ways. First, the new strategy calls to “rebalance the responsibility” of defending cyberspace, moving away from end users and toward the “most capable and best-positioned actors,” including owners and operators of key technologies and infrastructures. Second, it seeks to “realign incentives” through various regulatory, grantmaking, and budgetary measures.  One of the most important aspects of the terrain of cyberspace is the layout and security of the internet, as determined by the overlapping national and global networks that comprise it. As this layout continues to evolve, the role of private technology firms—especially cloud service providers in running it—has grown considerably. The strategy correctly connects greater cybersecurity with the openness of online networks, but it stops short of making that connection meaningful. Tangible progress toward a more open, secure, interoperable internet would combat the structural influence of prolific cyber threats and better enable the open market of Western security researchers to identify and combat these harms. Operational goals about the cybersecurity of internet technologies can and should flow from normative debates about the future of the internet. Openness and integrity aren’t just values: Purely through a security lens, they create space for independent researchers, small companies, and civil society groups to play outsized roles in rapidly detecting and mitigating threats to networks and users. Preserving openness and placing power in the hands of users rather than institutions has enabled community-led security efforts like the Shadowserver Foundation and the monitoring and open-source intelligence work of the Digital Forensic Research Lab and Bellingcat. Protecting the open internet is in America’s national interest and advances its core cybersecurity goals as much as, if not more than, prioritizing operational superiority over its adversaries.

In less than a month, Microsoft will stop supporting Exchange Server 2013. There will be no more security updates for found vulnerabilities, Microsoft has announced again . The mail server software appeared on January 9, 2013 and introduced a completely new “servicing model”, which no longer used Service Packs and Update Rollups, but worked with Cumulative Updates. Over the past year, Microsoft has repeatedly warned that after April 11, it will no longer release patches and bug fixes for Exchange Server 2013, technical support, or time zone updates. Some estimates state that there are three hundred thousand Exchange servers on the Internet. According to the Shadowserver Foundation, more than 71,000 of its servers contain a known vulnerability. Organizations that are still working with Exchange Server 2013 are urged by Microsoft to switch to Exchange Server 2019 or Exchange Server Online as soon as possible. Last month, the French government announced that many of the attacks it investigated exploited vulnerabilities in mail server software.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.The list of vulnerabilities is below –

• CVE-2022-35914 (CVSS score: 9.8) – Teclib GLPI Remote Code Execution Vulnerability
• CVE-2022-33891 (CVSS score: 8.8) – Apache Spark Command Injection Vulnerability
• CVE-2022-28810 (CVSS score: 6.8) – Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability

The most critical of the three is CVE-2022-35914, which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI, an open source asset and IT management software package. The exact specifics surrounding the nature of attacks are unknown, but the Shadowserver Foundation in October 2022 noted that it has seen exploitation attempts against its honeypots. Since then, a cURL-based one-line proof of concept (PoC) has been made available on GitHub and a “mass” scanner has been advertised for sale, VulnCheck security researcher Jacob Baines said in December 2022.