The recently discovered Windows ransomware IceFire is now also targeting Linux enterprise networks in several sectors.
SentinelLabs researchers have discovered a new Linux version of the recently discovered IceFire ransomware used in attacks against several media and entertainment organizations around the world. This ransomware initially only targeted Windows-based systems with a focus on tech companies.
IceFire was first discovered by researchers in March 2022. MalwareHunterTeambut group opinion Victims via dark web leaked sites from August 2022.
Experts observed attackers exploiting a deserialization vulnerability in IBM Aspera Faspex file sharing software (CVE-2022-47986, CVSS score: 9.8) to distribute ransomware.
Most IceFire infections have been reported from Turkey, Iran, Pakistan, and the United Arab Emirates. Experts noted that these countries are not typically the focus of organized ransomware operations.
SentinelOne researchers have successfully tested a version of IceFire Linux against Intel-based distributions of Ubuntu and Debian. It is 2.18MB in size and the 64-bit ELF binary is compiled with gcc for the AMD64 architecture.
In attacks observed by experts, ransomware You have successfully encrypted a CentOS host running a vulnerable version of the IBM Aspera Faspex file server software.
This ransomware deletes itself by encrypting files, appending the “.ifire” extension to filenames, and then removing binaries.
IceFire does not encrypt files with “.sh” and “.cfg” extensions, nor does it encrypt certain folders to allow continued use of the infected system.
“During analysis, the user profile directory in /home/[user_name]/ Viewed the most cryptographic activity. IceFire targets user and shared directories (e.g. /mnt, /media, /share) for encryption. These are unprotected parts of the filesystem and do not require elevated privileges to write or modify.” reads analyze Posted by SentinelOne. “Interestingly, several file-sharing clients downloaded harmless encrypted files after IceFire encrypted a shared folder on the file server. Despite the attack on the server, clients were still able to download files from the encrypted server. This means that IceFire developers have made careful choices in excluded paths and file extensions.”
The Windows version of the ransomware spreads via phishing messages and pivots using toolkits after exploits. Linux variants are still in their infancy.
Experts pointed out that at the time of publication of the report, IceFire binaries were detected by 0/61 VirusTotal engines.
The ransom note contains hard-coded credentials to log into the ransom payment portal hosted on the Tor hidden service.
“IceFire’s evolution is consistent with ransomware targeting Linux. grow Popular until 2023. basic The Linux ransomware trend started in 2021 and accelerated in 2022 as prominent groups added Linux encryptors to their arsenal, such as: Black Bastar, hive, giraffe, Vice Society aka HelloKittyothers.” concludes the expert: “Compared to Windows, Linux is more difficult to deploy ransomware, especially at large scale. Many Linux systems are servers. Common infection vectors such as phishing or drive-by downloads are less effective. To overcome this, attackers exploit application vulnerabilities, such as the proven IceFire operators, by distributing payloads via IBM Aspera vulnerabilities.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(security work – hacking, icefire ransomware)
share