IceFire ransomware signals Windows-only malware shift. Explore the implications of this changing cybersecurity landscape. In recent cyberattacks, hackers have been deploying the IceFire ransomware against Linux enterprise networks—a notable shift for what was once a Windows-only malware. The intrusions exploit a vulnerability (CVE-2022-47986) in the IBM Aspera data transfer service that can lead to arbitrary code execution. The same flaw is leveraged by Chinese hackers against unpatched SonicWall gateways to deploy credential-stealing malware that persists through firmware upgrades.
Security researchers at SentinelLabs have detected a new Linux version of the IceFire ransomware.
Cybercriminals are deploying the IceFire ransomware against Linux enterprise networks, marking a shift for what was once a Windows-only malware. The latest attacks are based on a Linux variant of the malware that targets a vulnerability in IBM’s Aspera Faspex file-sharing software.
The new variant encrypts files on victim machines and then demands payment to restore access. It exploits a deserialization vulnerability in IBM’s Aspera Faspex software (CVE-2022-47986), which was patched earlier this year. According to a report from cybersecurity firm SentinelLabs, the IceFire ransomware has been deployed in recent weeks in several media and entertainment breaches.
Security researchers at SentinelLabs say the attack is part of a growing trend. “Since the 2021 Babuk source code leak, ransomware has been increasingly targeting VMware ESXi hypervisors, which are used in on-prem and hybrid cloud environments,” the report reads. “ReversingLabs recently observed nine new ransomware families leveraging the leaked Babuk code to target ESXi.”
In addition to the new Linux variant of the IceFire ransomware, attackers have been targeting Linux systems by using techniques that make it harder for them to detect attacks. For example, many Linux systems are servers, and as such, are often harder to infect through traditional infection vectors such as phishing and drive-by download. SentinelLabs says this makes it more difficult for the ransomware to spread, and has forced threat actors to deploy vulnerabilities.
According to the researchers, the latest attack involves the IceFire ransomware encrypting user profile and shared directories on the infected system. They cite the fact that it avoids encrypting paths victim machines need to remain operational as a sign of careful consideration by the developers.
TechTarget Editorial Analyst Alex Delamotte tells Dark Reading that the developers of IceFire made “thoughtful choices” when it came to which folders they chose to encrypt and which file extensions to exclude, “suggesting that they are either aware of the damage that could result from destructive ransomware or had heavily worked with destructive malware in the past.”
The attackers behind the attack are also making sure their victims know they’re being targeted by avoiding the usual ransom demand emails and other typical behavior patterns. In addition, the researchers have identified that the attackers are using a proxy to help them avoid detection by antivirus software.
The malware is based on a vulnerability in IBM’s Aspera Faspex file-sharing software.
A previously known Windows-based ransomware strain has expanded its attack surface to include Linux enterprise systems belonging to several media and entertainment sector organizations across the globe. The attackers are leveraging a recently disclosed deserialization vulnerability in the IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score 9.8) to gain initial access to the targeted networks, according to researchers at cybersecurity firm SentinelOne.
The threat discovery is notable for a few reasons. For one, it demonstrates the continued trend of attackers targeting Linux systems in addition to their usual targets on Microsoft operating systems. It also highlights the difficulty that IT administrators have in detecting and blocking these attacks.
According to the research team at SentinelOne, the new Linux variant of IceFire uses a 2.18MB 64-bit ELF file to target CentOS servers that are running a vulnerable version of the Aspera Faspex server application. The malware avoids encrypting certain paths that would cause the system to shut down and instead focuses on the files in /etc, /lib, /proc, /srv, /var and /usr. After encrypting these files, the malware adds an.iFire extension to the file name, then deletes itself to cover its tracks.
The attackers are using a number of techniques to spread the threat, including phishing emails and drive-by downloads. The vulnerability in Aspera Faspex is caused by improper input validation and could be exploited through a remote code execution attack. However, SentinelOne warns that many popular exploitation frameworks such as Metasploit and Cobalt Strike can be used to chain attacks on this vulnerability.
Once inside the network, the ransomware encrypts files with the extension iFire and then renames all other files in /etc, /lib, and /proc with the same extension. It then covers its tracks by deleting itself and all log files.
The gang behind this latest campaign appears to be focused on targeting large companies, as most of the victims identified by SentinelOne are in the media and entertainment sectors. The attack is also noteworthy for focusing on companies in Turkey, Iran, Pakistan and the United Arab Emirates, countries that are not often a focus of organized ransomware gangs.
The attackers are targeting media and entertainment companies.
Media and entertainment companies are a tempting target for cybercriminals. They are rich with resources and customers, making them valuable targets for hackers to monetize through ransomware attacks and data theft. In addition, they often have complex supply chains and operate worldwide, which makes them easier to compromise from outside the company’s network.
Hollywood is a prime example of how a company’s assets can make it a target for cyberattacks. The movies are expensive to produce, and studios invest billions of dollars into their development and production. The stakes are high for the industry, and a successful hack can sink a blockbuster movie in box office sales or turn a television show into a flop that local cable providers won’t carry.
The glitz and glamour of the film industry also attracts hacktivists, who want to use these platforms to spread their political messages. The infamous 2014 breach of Sony Pictures Entertainment by North Korean hackers, for instance, resulted in the leak of embarrassing internal emails.
In the case of music and video games, the hackers are after the source code or development footage that is key to their upcoming releases. This is why some of these companies are a target of double extortion attacks, where hackers steal the company’s prized information before encrypting systems and threatening to release it on the dark web if the victim doesn’t pay the ransom.
A few months ago, Polish video game developer CD Projekt Red was hit by a ransomware attack that compromised its servers. The company announced in a Tweet that the attackers managed to gain access to its source code for the Cyberpunk 2077 and The Witcher video games, and it was subsequently revealed that the hackers had threatened to publish sensitive personal data of CD Projekt Red employees on the internet if the company didn’t pay the demanded sum.
Many of these attacks go unreported, as the victims would rather pay the ransom and avoid a public backlash than risk a PR nightmare. But the industry’s vulnerability to these types of cyberattacks is growing every year. The complexity of media’s supply chain and global operations, coupled with the sensitivity of its content and customer information, makes it a target for malicious actors worldwide.
The malware encrypts files with the iFire extension.
When a company is hit with ransomware, it’s critical to try to recover files without paying the attackers. Ransomware attacks can be very damaging and can even result in total data loss if the files are not recovered. There are several programs available to help restore files that have been encrypted by ransomware, such as Emsisoft’s Free Ransomware Decryption Tools and Avast’s Free Ransomware Decryptor Tools.
According to SentinelLabs, a research division of cybersecurity firm Sentinel One, the new Linux version of IceFire has been attacking media and entertainment companies across the world. The attackers breached the systems of these organizations by exploiting a vulnerability in IBM’s Aspera Faspex file-sharing software, and then encrypting the files on the system. The malware encrypts the files with the iFire extension, and demands a ransom payment to unlock the files.
The IceFire attack has been underway since mid-February 2023. The malware has been deployed by phishing messages and by pivoting using post-exploitation frameworks. Once the malware infiltrates a target, it scans the environment to find files that are worth encrypting. It primarily targets user and shared directories, because they tend to contain valuable information and don’t require extra privileges to write or modify.
After encrypting the files, the malware deletes itself to avoid detection and prevent the victim from noticing anything wrong. The malware also tries to selectively encrypt folders, and avoids targeting important operating system files.
This change in behavior from the IceFire attackers reflects a growing awareness among these actors of how to minimize their exposure in corporate environments. Ransomware experts have long warned that the encryption of sensitive data is a dangerous and increasingly common tactic used by threat actors to extract extortion payments from their victims.
The researchers at SentinelLabs observed that the IceFire malware uses a cryptographic library from a popular open source project, and as a result, most antivirus solutions are ineffective in detecting the malicious binary. In fact, the new Linux variant of the IceFire ransomware was not detected by any of the 61 threat detection engines compiled by VirusTotal.
