IBM Aspera Faspex Vulnerability: The Next GoAnywhere-Style Mass-Exploit for Ransomware Gangs?


March 30, 2023

World map

Is the IBM Aspera Faspex vulnerability (CVE-2022-47986) the next GoAnywhere-style mass exploit for ransomware gangs? Scores of organizations have been hit by the Cl0p ransomware gang in recent weeks after attackers exploited a known vulnerability on the GoAnywhere file transfer software for which there has been a patch available for some time.

Users of a similar file transfer program - IBM Aspera Faspex – should seriously prioritize deploying the patch for this bug as soon as possible, as it could be the next mass exploit leveraged by ransomware operators (or other attackers) to infiltrate an organization’s network.

High profile victims of the recent Cl0p campaign using the GoAnywhere exploit include Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, the UK Pension Protection Fund and dozens more. Dozens more have been added to Cl0p’s leaks website but have yet to publicly report a ransomware attack, so we can expect new victims from this widespread attack campaign to continue to emerge.

Aspera Faspex vulnerability is based on a YAML deserialization flaw that can be activated remotely with a specially crafted obsolete API call to enable code execution on the targeted system. It is rated 9.8 (critical) and impacts IBM Aspera Faspex 4.4.2 and earlier versions, and a patch was issued in January.

Takeaway: Similar to the issues with the GoAnywhere vulnerability, just because a patch is available does not mean all organizations will apply the fix in a timely manner. Attackers are keen to jump on new vulnerabilities, and often only become aware of the flaw after a patch is issued, so they count on organizations being slow to mitigate.

Cl0p was able to hit a large number of targets in a very short time period because they have likely automated scans that search the internet for networks still vulnerable to the bug, and it is highly likely that a number of threat actors are similarly looking for exploitable instances of IBM’s Aspera Faspex.

Reports indicate that the IceFire ransomware gang is already exploiting the vulnerability, and recent scans using Shodan identified 138 vulnerable instances. This is likely what attackers like Cl0p and IceFire are doing, simply using automating scans that look for the vulnerability in these file transfer programs and then leveraging exploits to infiltrate and move laterally through the network of their victims.

Organizations can’t wait for an attacker to hit them with a ransomware payload before their ransomware defense strategy kicks in. They must have the ability to detect and disrupt attacks at the earliest stages – at initial ingress when attackers move laterally, or when command and control is established, or data exfiltration begins. And in the event of a successful ransomware attack, the organization needs to be prepared for resilience by having the tools and processes in place to minimize the duration and overall impact of the attack.

Organizations need to focus on both a robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This includes deploying endpoint protection solutions designed to defeat ransomware, good patch management, isolated data backups, robust access and identity controls, an employee awareness program, and periodic organizational procedure and resilience testing into all ransomware readiness plans to have a good security posture. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.