Announcement

Collapse
No announcement yet.

Ransomware crooks are exploiting IBM file-exchange bug with a 9.8 severity

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ransomware crooks are exploiting IBM file-exchange bug with a 9.8 severity

    I know that Cinesend used the Aspera file transfer stuff until they sold out to Deluxe.

    Deluxe probably uses it too though I don't know that for certain.

    I guess there's not much (or really anything) that us lowly end users can do about this, though.

    https://arstechnica.com/information-...-9-8-severity/

    Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

    The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

    In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

    On Tuesday, researchers from security firm Rapid7 said they recently responded to an incident in which a customer was breached using the vulnerability.

    “Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986,” company researchers wrote. “In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.”

    According to other researchers, the vulnerability is being exploited to install ransomware. Sentinel One researchers, for instance, said recently that a ransomware group known as IceFire was exploiting CVE-2022-47986 to install a newly minted Linux version of its file-encrypting malware. Previously, the group pushed only a Windows version that got installed using phishing emails. Because phishing attacks are harder to pull off on Linux servers, IceFire pivoted to the IBM vulnerability to spread its Linux version. Researchers have also reported the vulnerability is being exploited to install ransomware known as Buhti.

    As noted earlier, IBM patched the vulnerability in January. IBM republished its advisory earlier this month to ensure no one missed it. People who want to better understand the vulnerability and how to mitigate potential attacks against Aspera Faspex servers should check posts here and here from security firms Assetnote and Rapid7.

  • #2
    I guess there's an advantage to not having our projector connected to the internet.

    Comment


    • #3
      Originally posted by Mike Blakesley View Post
      I guess there's an advantage to not having our projector connected to the internet.
      If one has a TMS with an adequate firewall, then there shouldn't be any problems, and you can get a REALLY GOOD software based firewall for free. I used to use Untangle, not free any more, but still reasonable. Opnsense is free.

      I only ever had one TMS hacked into because the Owner declined a firewall. Said his ISP had some fancy sort of protection and he wasn't worried. Low and behold the Twin Theater got hacked. No damage was done. The person, who hacked in was an ex employee was just stealing trailers. A new complicated password was entered and no issues any more.

      Comment


      • #4
        Your Deluxe doodad is connected to both the Internet and your projector's network. Otherwise you couldn't transfer the files off of it to your your cinema server.

        Comment


        • #5
          Interesting. I few comments.
          Firstly, companies using Aspira would have been warned of this vulnerability quickly. A fix/upgrade would be implemented and automatically rolled out. Even if it had to be done by hand. (If the companies were being responsible). This should have happened. And considering Cinema and sensitivity to security. You would expect this to have happened. If not, some serious questions need to be asked.

          Secondly, the big companies doing content distribution should not be using Aspira anymore. It's their core business. You may start with it but intend to transition away when you become bigger and established. Otherwise, outsourcing your core business. your nothing but a man in the middle and I would assume have other objectives with running the entity over doing content distribution. This would indicate other secret reasons are the real objective. (I could name a few)

          How the industry reacts to this event could be telling.

          Comment


          • #6
            This page lists "aspira" under delivery options so I guess it's still in use.

            https://www.bydeluxe.com/fulfillment

            There's probably no way for us to know if it's been fixed or not since the whole thing is just a magic black box.

            Comment


            • #7
              I guess very few exhibitors are using IBM Aspera in their local deployments. I know that some content shops like Deluxe and Netflix use it in their backend to transfer huge chunks of data between sites, but that's all inside their corporate networks, nothing any exhibitor should worry about, unless you're a post shop or have some kind of other content deal with Deluxe, which offers Aspera as a delivery option.

              You probably should worry more about all those standard software exploits that are around. About two weeks ago, Microsoft also patched a 9.8 severity exploit, where your machine could be compromised by just receiving a specially crafted e-mail via Outlook, no need to even open the e-mail...

              Comment


              • #8
                Originally posted by Marcel Birgelen View Post
                I guess very few exhibitors are using IBM Aspera in their local deployments. I know that some content shops like Deluxe and Netflix use it in their backend to transfer huge chunks of data between sites, but that's all inside their corporate networks, nothing any exhibitor should worry about, unless you're a post shop or have some kind of other content deal with Deluxe, which offers Aspera as a delivery option.
                The main reason you use Aspira is because it uses its own expensive hi-speed interconects to move the content through the internet by bypassing congested open internet interconnects.
                So using it for internal transfers when you have your own internal dedicated interconnects does not make any commercial sense.
                The FASTER transfer rates based on the UDP-based transfer mechanism only archive a very slight benefit. You would be better paying to up your connection speed if you did this a lot and use open standard transfer protocols.

                Originally posted by Marcel Birgelen View Post
                You probably should worry more about all those standard software exploits that are around. About two weeks ago, Microsoft also patched a 9.8 severity exploit, where your machine could be compromised by just receiving a specially crafted e-mail via Outlook, no need to even open the e-mail...
                Anyone using a non-web-based emailing client, needs a good reason. Just using a web browser and its far higher security capabilities is a easier path in general.

                Comment


                • #9
                  It might have helped if IBM had added an auto-update feature, or even a manual update one. Currently you have to google it, download it and install it.

                  Comment


                  • #10
                    Anyone using a non-web-based emailing client, needs a good reason. Just using a web browser and its far higher security capabilities is a easier path in general.


                    A web based email client is subject to all of the underlying foibles of the web browser. Tracking pixels, "rigged" urls and all the rest of that fine stuff is not a problem with text only.

                    A local email client that renders emails in text-only by default is far more secure than a web based solution ever could be.

                    I personally use sylpheed on my computers and mutt on my cell phone. Both show text only by default and if I really want to view something in html I can drag it into firefox on my computer.

                    Comment


                    • #11
                      Originally posted by Frank Cox View Post



                      A web-based email client is subject to all of the underlying foibles of the web browser. Tracking pixels, "rigged" urls and all the rest of that fine stuff is not a problem with text only.

                      A local email client that renders emails in text-only by default is far more secure than a web based solution ever could be.

                      I personally use sylpheed on my computers and mutt on my cell phone. Both show text only by default and if I really want to view something in html I can drag it into firefox on my computer.

                      The functionality you lose in Email by limiting it to text is huge. For example, all Emails from KDM suppliers extensively use HTML based email sending to make them easy to understand and read. Its the norm, people expect it.

                      Web-based system typically has huge curated malware and virus-checking systems as part of the solutions. They cannot be beaten by any local attempt at keeping on top of the threats. They can also fingerprint threats as they happen and filter out emails after the fact. Not possible on local email tools.

                      So, your biggest threat is someone sending an attack package that is a PDF, or other types of attachments that attack your systems. The best defence is to be part of a larger threat intelligence system that actively spots or pulls them out of your Mailbox before you have a chance to click on it.
                      These features are not possible on a local email client.

                      Comment


                      • #12
                        Screenshot at 2023-03-29 18-32-22.png
                        "Here's the key, here's the credit offsets".

                        A pink font with a unicorn graphic isn't going to tell me anything more than that.

                        I always double-check the validity dates with vim, too.

                        Comment


                        • #13
                          As of late the cinesends seem to be very slow in doing the ftp transfer to the servers often freezing completely and requiring sometimes several reboots

                          Comment


                          • #14
                            I haven't had to reboot this one due to freezing but I have noticed that it's quite a bit slower to get started doing the transfer after selecting the titles to copy.

                            Comment


                            • #15
                              Originally posted by James Gardiner View Post
                              The main reason you use Aspira is because it uses its own expensive hi-speed interconects to move the content through the internet by bypassing congested open internet interconnects.
                              So using it for internal transfers when you have your own internal dedicated interconnects does not make any commercial sense.
                              The FASTER transfer rates based on the UDP-based transfer mechanism only archive a very slight benefit. You would be better paying to up your connection speed if you did this a lot and use open standard transfer protocols.
                              The problem with many "open standard transfer protocols" is that they don't perform well over high-latency connections. Even in 2023, getting TCP window sizes right is apparently hard. Protocols that use multiple TCP sessions or UDP may circumvent those issues. There is no need for them to be closed source though. If I say bittorent, most people think of illegal downloads, but the protocol itself is perfectly legal, open source and a good option if you want to efficiently and reliably distribute huge chunks of data.

                              Dedicated interconnects and dedicated networks are on their return, I've seen many companies abandon their expensive MPLS networks in the last few years, as workloads shift to "the open internet" and "cloud services"...

                              Originally posted by James Gardiner View Post
                              Anyone using a non-web-based emailing client, needs a good reason. Just using a web browser and its far higher security capabilities is a easier path in general.
                              Microsoft's OWA still doesn't come close to the features of its Outlook client. While you could argue that there are better, open solutions available, you can't get around the MS365 stack in the corporate world.
                              Also, like Frank indicated, even though web browsers constantly being on the front-line and pretty hardened for your average attack, they, aren't free from zero day exploits.

                              Comment

                              Working...
                              X