Open Nav
Sign Up

Buhti Ransomware

BUHTI Ransomware

Omer Pinsker

February 16, 2023

On Feb 15, 2023, the OP Innovate incident response team responded to multiple ransom attacks being carried out simultaneously on US companies. Some were perpetrated by a new group named “Buhti”.

The Buhti attack group is actively exploiting CVE-2022-47986 on IBM Aspera Faspex which allows a remote attacker to execute arbitrary code on the target system. This vulnerability is caused by a YAML deserialization flaw. Therefore by sending a specially-crafted obsolete API call, an attacker can exploit this vulnerability to execute arbitrary code on the system.

The vulnerability was discovered by an attack surface management tool (ASM) and reported to IBM in October 2022. In January 2023 IBM informed their customers about the vulnerabilities and released a patch. Cybersecurity companies around the world started publishing exploitation methods (including code examples) for this vulnerability and we assume that the ‘Buhti’ groups used these POCs to launch attacks against organizations around the world. 

We have also seen other reports of this vulnerability being exploited in the wild. There is not much information about the attack group but we assume that they are acting from the Balkan region since Buhti is a delicious Bulgarian dish.

The ransom demand:

Buhti Ransom note

According to OP Innovate’s threat intelligence, many attack groups around the world are discussing this vulnerability. According to our non-intrusive scans, more than 2000 companies located mostly in the United States and the United Kingdom are still exposed to Aspera Faspex vulnerabilities on their servers. 

How to remediate and mitigate:

  • Update Faspex to version 4.4.2 PL2.
  • Avoid externally exposing Faspex servers with versions that are lower than the patched version. 

More POCs will be shared in the future. 

For more information please contact us !

Resources highlights

High-Severity WordPress Vulnerability in Forminator Plugin (CVE-2025-6463)

A critical vulnerability in the Forminator plugin, one of the most popular form-building plugins in Wordpress, allows unauthenticated attackers to delete arbitrary files on the…

Read more >

CVE-2025-6463

CVE-2025-6554: Chrome V8 Zero-Day Exploited in the Wild

On June 30, 2025, Google issued an emergency patch for a critical zero-day vulnerability in its Chrome browser, tracked as CVE-2025-6554. The flaw resides in…

Read more >

CVE-2025-6554

Critical Cisco ISE Vulnerabilities Lead to Unauthenticated RCE (CVE-2025-20281 & CVE-2025-20282)

On June 25, 2025, Cisco disclosed and patched two critical remote code execution (RCE) vulnerabilities: CVE-2025-20281 and CVE-2025-20282, affecting its widely deployed Identity Services Engine…

Read more >

CVE-2025-20281 & CVE-2025-20282

Critical Vulnerability in MegaRAC BMC Added to CISA’s KEV: CVE-2024-54085

On June 25, 2025, CISA added CVE‑2024‑54085, a critical authentication bypass vulnerability in the MegaRAC SPx Baseboard Management Controller (BMC) firmware, to its Known Exploited…

Read more >

CVE-2024-54085

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls The UK’s National Cyber Security Centre (NCSC) has issued an alert regarding a sophisticated malware campaign dubbed “UMBRELLA…

Read more >

umbrella stand fortinet

CVE-2025-49144: Privilege Escalation in Notepad++ Installer Enables Full SYSTEM Access

A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144,…

Read more >

CVE-2025-49144
Under Cyber Attack?

Fill out the form and we will contact you immediately.