Open Nav
Sign Up

Buhti Ransomware

BUHTI Ransomware

Omer Pinsker

February 16, 2023

On Feb 15, 2023, the OP Innovate incident response team responded to multiple ransom attacks being carried out simultaneously on US companies. Some were perpetrated by a new group named “Buhti”.

The Buhti attack group is actively exploiting CVE-2022-47986 on IBM Aspera Faspex which allows a remote attacker to execute arbitrary code on the target system. This vulnerability is caused by a YAML deserialization flaw. Therefore by sending a specially-crafted obsolete API call, an attacker can exploit this vulnerability to execute arbitrary code on the system.

The vulnerability was discovered by an attack surface management tool (ASM) and reported to IBM in October 2022. In January 2023 IBM informed their customers about the vulnerabilities and released a patch. Cybersecurity companies around the world started publishing exploitation methods (including code examples) for this vulnerability and we assume that the ‘Buhti’ groups used these POCs to launch attacks against organizations around the world. 

We have also seen other reports of this vulnerability being exploited in the wild. There is not much information about the attack group but we assume that they are acting from the Balkan region since Buhti is a delicious Bulgarian dish.

The ransom demand:

Buhti Ransom note

According to OP Innovate’s threat intelligence, many attack groups around the world are discussing this vulnerability. According to our non-intrusive scans, more than 2000 companies located mostly in the United States and the United Kingdom are still exposed to Aspera Faspex vulnerabilities on their servers. 

How to remediate and mitigate:

  • Update Faspex to version 4.4.2 PL2.
  • Avoid externally exposing Faspex servers with versions that are lower than the patched version. 

More POCs will be shared in the future. 

For more information please contact us !

Resources highlights

AsyncAPI npm Supply-Chain Attack Delivers Cross-Platform Miasma RAT

A software supply-chain attack compromised four packages in the official AsyncAPI npm namespace, resulting in five malicious package versions being distributed through the project’s legitimate…

Read more >

AsyncAPI supply chain attack

Zoom Windows Vulnerability Enables Account Takeover (CVE-2026-53412)

Zoom has released security updates for a critical vulnerability affecting Zoom Workplace and Zoom Workplace VDI clients for Windows. Tracked as CVE-2026-53412, the vulnerability could…

Read more >

cve-2026-53412

Actively Exploited SonicWall SMA1000 Vulnerabilities (CVE-2026-15409 and CVE-2026-15410)

SonicWall has released emergency hotfixes for two vulnerabilities affecting SMA1000 Series secure access appliances. Both vulnerabilities have been exploited in active attacks, and one carries…

Read more >

sonicwall_cve-2026-15409_cve-2026-15410_op

Critical Gitea Docker Authentication Bypass Under Active Probing: CVE-2026-20896

A critical authentication bypass vulnerability, tracked as CVE-2026-20896, has been disclosed in the official Gitea Docker image. Gitea is a self-hosted software development platform used…

Read more >

gitea_docker_cve-2026-20896

Adobe Patches Multiple Critical ColdFusion and Campaign Classic Vulnerabilities: CVE-2026-48282 Exploitation Observed

Adobe has released security updates for multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including several flaws rated CVSS 10.0.CVE-2026-48282, a critical ColdFusion…

Read more >

adobe_coldfusion_campaign classic_cve-2026-48282

CVE-2026-46817: Critical Oracle E-Business Suite Vulnerability

A critical vulnerability in Oracle E-Business Suite is now being actively exploited in the wild. Tracked as CVE-2026-46817, the flaw affects the File Transmission component…

Read more >

cve-2026-46817-oracle-e-business
Under Cyber Attack?

Fill out the form and we will contact you immediately.