Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

On Tuesday, researchers from security firm Rapid7 said they recently responded to an incident in which a customer was breached using the vulnerability.

“Rapid7 is aware of at least one recent incident where a customer was compromised via CVE-2022-47986,” company researchers wrote. “In light of active exploitation and the fact that Aspera Faspex is typically installed on the network perimeter, we strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur.”

According to other researchers, the vulnerability is being exploited to install ransomware. Sentinel One researchers, for instance, said recently that a ransomware group known as IceFire was exploiting CVE-2022-47986 to install a newly minted Linux version of its file-encrypting malware. Previously, the group pushed only a Windows version that got installed using phishing emails. Because phishing attacks are harder to pull off on Linux servers, IceFire pivoted to the IBM vulnerability to spread its Linux version. Researchers have also reported the vulnerability is being exploited to install ransomware known as Buhti.

As noted earlier, IBM patched the vulnerability in January. IBM republished its advisory earlier this month to ensure no one missed it. People who want to better understand the vulnerability and how to mitigate potential attacks against Aspera Faspex servers should check posts here and here from security firms Assetnote and Rapid7.

The latest breakthroughs in artificial intelligence could lead to the automation of a quarter of the work done in the US and eurozone, according to research by Goldman Sachs.

The investment bank said on Monday that “generative” AI systems such as ChatGPT, which can create content that is indistinguishable from human output, could spark a productivity boom that would eventually raise annual global gross domestic product by 7 percent over a 10-year period.

But if the technology lived up to its promise, it would also bring “significant disruption” to the labor market, exposing the equivalent of 300 million full-time workers across big economies to automation, according to Joseph Briggs and Devesh Kodnani, the paper’s authors. Lawyers and administrative staff would be among those at greatest risk of becoming redundant.

They calculate that roughly two-thirds of jobs in the US and Europe are exposed to some degree of AI automation, based on data on the tasks typically performed in thousands of occupations.

Most people would see less than half of their workload automated and would probably continue in their jobs, with some of their time freed up for more productive activities.

In the US, this should apply to 63 percent of the workforce, they calculated. A further 30 percent working in physical or outdoor jobs would be unaffected, although their work might be susceptible to other forms of automation.

But about 7 percent of US workers are in jobs where at least half of their tasks could be done by generative AI and are vulnerable to replacement.

Goldman said its research pointed to a similar impact in Europe. At a global level, since manual jobs are a bigger share of employment in the developing world, it estimates about a fifth of work could be done by AI—or about 300 million full-time jobs across big economies.

The report will stoke debate over the potential of AI technologies both to revive the rich world’s flagging productivity growth and to create a new class of dispossessed white-collar workers, who risk suffering a similar fate to that of manufacturing workers in the 1980s.

Goldman’s estimates of the impact are more conservative than those of some academic studies, which included the effects of a wider range of related technologies.

A paper published last week by OpenAI, the creator of GPT-4, found that 80 percent of the US workforce could see at least 10 percent of their tasks performed by generative AI, based on analysis by human researchers and the company’s machine large language model (LLM).

Europol, the law enforcement agency, also warned this week that rapid advances in generative AI could aid online fraudsters and cyber criminals, so that “dark LLMs…  may become a key criminal business model of the future.”

Goldman said that if corporate investment in AI continued to grow at a similar pace to software investment in the 1990s, US investment alone could approach 1 percent of US GDP by 2030.

The Goldman estimates are based on an analysis of US and European data on the tasks typically performed in thousands of different occupations. The researchers assumed that AI would be capable of tasks such as completing tax returns for a small business; evaluating a complex insurance claim; or documenting the results of a crime scene investigation.

They did not envisage AI being adopted for more sensitive tasks such as making a court ruling, checking the status of a patient in critical care, or studying international tax laws.

© 2023 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way.

President Joe Biden on Monday signed an executive order barring many uses by the federal government of commercial spyware, which has been increasingly used by other countries in recent years to surveil dissidents, journalists, and politicians.

The signing of the executive order came as administration officials told journalists that roughly 50 US government personnel in at least 10 countries had been infected or targeted by such spyware, a larger number than previously known. The officials didn’t elaborate.

Commercial spyware is sold by a host of companies, with the best known being NSO Group of Israel. The company sells a hacking tool known as Pegasus that can surreptitiously compromise both iPhones and Android devices using “clickless” exploits, meaning they require no user interaction. By sending a text or ringing the device, Pegasus can install spying software that steals contacts, messages, geo locations, and more, even when the text or call isn’t answered. Other companies selling commercial spyware include Cytrox, Candiru, and Paragon.
While NSO describes Pegasus as a “lawful intercept” tool that’s sold only to legitimate law-enforcement agencies to investigate crime and terrorism. Mexico, India, Saudi Arabia, the United Arab Emerates, Morocco, and other countries have been caught deploying it against political dissidents, journalists, and other citizens that aren’t accused of any crimes. In November 2021, the Biden administration restricted the export, re-export, and in-country transfer of products from NSO and three other companies in Israel, Russia, and Singapore.

Monday’s executive order goes further by barring federal agencies, including those engaged in law enforcement, defense, or intelligence activities, from “operationally using” commercial spyware.

“The proliferation of commercial spyware poses distinct and growing counterintelligence and security risks to the United States, including to the safety and security of US Government personnel and their families,” a fact sheet published by the White House said. “US Government personnel overseas have been targeted by commercial spyware, and untrustworthy commercial vendors and tools can present significant risks to the security and integrity of US Government information and information systems.”

White House officials aren’t naming the specific spyware that’s barred, but using the term commercial spyware strongly implies it includes tools sold by NSO, Cytrox, Candiru, and others. Criteria for tools falling under the order include if:

• they’re abused by a foreign government in an attempt to access the device of a US citizen
• a foreign actor deploys them against activists or dissidents in an attempt to intimidate or curb dissent or opposition or squelch expressions of free speech
• they’re supplied to governments for which there are credible reports that they engage in systematic acts of political repression.

The officials declined to say if US law enforcement and intelligence agencies currently use commercial spyware. Last year, the FBI confirmed a New York Times report that the bureau had bought NSO Group’s Pegasus tool for product testing and evaluation but said they weren’t used for operational purposes or to support any investigation. The US Drug Enforcement Agency, the NYT has also reported, deployed a surveillance tool called Graphite for use in counternarcotics operations.