Home / Threat Intelligence bulletins / IBM Aspera Faspex critical vulnerability under active exploitation by IceFire operators

Target Industry

Indiscriminate, opportunistic targeting.


Severity level: Critical – Compromise will result in the loss of confidentiality and integrity of data in the first instance.

IBM has disclosed a critical vulnerability, being tracked as CVE-2022-47986 (CVSSv3 Score: 9.8.), a pre-authentication YAML deserialisation security flaw in Ruby on Rails code.

A Proof-of-Concept (PoC) code has been released in relation to the vulnerability which has been attributed to several attack campaigns, most notably that of the recent IceFire ransomware campaign.


Successful exploitation of CVE-2022-47986 would allow a remote threat actor to execute arbitrary code on the system, caused by a YAML deserialisation flaw. This is achieved by sending a specially crafted obsolete API call.

Vulnerability Detection

IBM has patched the vulnerability for the respective product version. As such, previous versions are vulnerable to potential exploit.

Affected Products

– Aspera Faspex 4.4.2 Patch Level 1 and below

Containment, Mitigations & Remediations

Due to the reported active exploitation of CVE-2022-47986, coupled with the fact that Aspera Faspex is typically installed on the network perimeter, administrators are strongly recommended to apply the Aspera Faspex 4.4.2 Patch Level 2 update as soon as possible.

Indicators of Compromise

Log files can be found in the ‘/opt/aspera/faspex/log’ folder. Log entries related to ‘PackageRelayController#relay_package’ have been classified as an Indicator of Compromise (IoC).

Threat Landscape

IBM Aspera has a significant portion of the Enterprise Application Integration market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, the IBM Aspera products can emerge as prime targets. Due to the fact that enterprise applications have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within such products in an attempt to extract the sensitive data contained therein.

Threat Group

The vulnerability was exploited in the recent IceFire ransomware campaign. IceFire ransomware emerged in March 2022, but the threat actors did not begin publishing exfiltrated victim data to their extortion site until August 2022.

IceFire operators have previously only targeted Windows systems, but their recent expansion to focus on Linux systems is a consistent trend that has been associated with additional ransomware groups such as Clop. Linux systems are typically server systems, which means that initial access techniques, such as phishing or drive-by compromise, are less effective as a method to gain access to these machines. Instead, threat actors are forced to rely on vulnerability exploitation which, while effective, diminishes a threat actor’s ability to launch widespread attacks.

Mitre Methodologies


TA0005 – Defence Evasion

Defence Evasion Technique:

T1070.002 – Indicator Removal: Clear Linux or Mac System Logs


TA0002 – Execution

Execution Technique:

T1053.003 – Scheduled Task/Job: Cron


TA0003 – Persistence

Persistence Techniques:

T1037.004 – Boot or Logon Initialization Scripts: RC Scripts
T1053.003 – Scheduled Task/Job: Cron
T1543.002 – Create or Modify System Process: System Service


TA0007– Discovery

Discovery Techniques:

T1082 – System Information Discovery
T1083 – File and Directory Discovery


TA0040 – Impact

Impact Techniques:

T1486 – Data Encrypted for Impact
T1489– Service Stop

Further Information

IBM Advisory
Rapid7 Blog

Intelligence Terminology Yardstick