Buhti Ransomware

BUHTI Ransomware

Omer Pinsker

February 16, 2023

On Feb 15, 2023, the OP Innovate incident response team responded to multiple ransom attacks being carried out simultaneously on US companies. Some were perpetrated by a new group named “Buhti”.

The Buhti attack group is actively exploiting CVE-2022-47986 on IBM Aspera Faspex which allows a remote attacker to execute arbitrary code on the target system. This vulnerability is caused by a YAML deserialization flaw. Therefore by sending a specially-crafted obsolete API call, an attacker can exploit this vulnerability to execute arbitrary code on the system.

The vulnerability was discovered by an attack surface management tool (ASM) and reported to IBM in October 2022. In January 2023 IBM informed their customers about the vulnerabilities and released a patch. Cybersecurity companies around the world started publishing exploitation methods (including code examples) for this vulnerability and we assume that the ‘Buhti’ groups used these POCs to launch attacks against organizations around the world. 

We have also seen other reports of this vulnerability being exploited in the wild. There is not much information about the attack group but we assume that they are acting from the Balkan region since Buhti is a delicious Bulgarian dish.

The ransom demand:

Buhti Ransom note

According to OP Innovate’s threat intelligence, many attack groups around the world are discussing this vulnerability. According to our non-intrusive scans, more than 2000 companies located mostly in the United States and the United Kingdom are still exposed to Aspera Faspex vulnerabilities on their servers. 

How to remediate and mitigate:

  • Update Faspex to version 4.4.2 PL2.
  • Avoid externally exposing Faspex servers with versions that are lower than the patched version. 

More POCs will be shared in the future. 

For more information please contact us !