Get in Touch
Indiscriminate, opportunistic targeting.
Severity level: Critical – Compromise will result in the loss of confidentiality and integrity of data in the first instance.
IBM has disclosed a critical vulnerability, being tracked as CVE-2022-47986 (CVSSv3 Score: 9.8.), a pre-authentication YAML deserialisation security flaw in Ruby on Rails code.
A Proof-of-Concept (PoC) code has been released in relation to the vulnerability which has been attributed to several attack campaigns, most notably that of the recent IceFire ransomware campaign.
Successful exploitation of CVE-2022-47986 would allow a remote threat actor to execute arbitrary code on the system, caused by a YAML deserialisation flaw. This is achieved by sending a specially crafted obsolete API call.
IBM has patched the vulnerability for the respective product version. As such, previous versions are vulnerable to potential exploit.
– Aspera Faspex 4.4.2 Patch Level 1 and below
Containment, Mitigations & Remediations
Due to the reported active exploitation of CVE-2022-47986, coupled with the fact that Aspera Faspex is typically installed on the network perimeter, administrators are strongly recommended to apply the Aspera Faspex 4.4.2 Patch Level 2 update as soon as possible.
Indicators of Compromise
Log files can be found in the ‘/opt/aspera/faspex/log’ folder. Log entries related to ‘PackageRelayController#relay_package’ have been classified as an Indicator of Compromise (IoC).
IBM Aspera has a significant portion of the Enterprise Application Integration market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, the IBM Aspera products can emerge as prime targets. Due to the fact that enterprise applications have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within such products in an attempt to extract the sensitive data contained therein.
The vulnerability was exploited in the recent IceFire ransomware campaign. IceFire ransomware emerged in March 2022, but the threat actors did not begin publishing exfiltrated victim data to their extortion site until August 2022.
IceFire operators have previously only targeted Windows systems, but their recent expansion to focus on Linux systems is a consistent trend that has been associated with additional ransomware groups such as Clop. Linux systems are typically server systems, which means that initial access techniques, such as phishing or drive-by compromise, are less effective as a method to gain access to these machines. Instead, threat actors are forced to rely on vulnerability exploitation which, while effective, diminishes a threat actor’s ability to launch widespread attacks.
TA0005 – Defence Evasion
Defence Evasion Technique:
T1070.002 – Indicator Removal: Clear Linux or Mac System Logs
TA0002 – Execution
T1053.003 – Scheduled Task/Job: Cron
TA0003 – Persistence
TA0040 – Impact