IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks

March 9, 2023Rabbi LakshmananLinux / Endpoint Security

The formerly known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to multiple media and entertainment sector organizations around the world.

According to cybersecurity firm SentinelOne, the intrusion involves exploiting a recently disclosed deserialization vulnerability in IBM Aspera Faspex file sharing software (CVE-2022-47986, CVSS score: 9.8).

Alex Delamotte, senior threat researcher at SentinelOne, said in a report shared with The Hacker News, “This strategic shift is an important move in alignment with other ransomware groups targeting Linux systems.” said.

The majority of attacks observed by SentinelOne were directed at companies located in Turkey, Iran, Pakistan, and the UAE, countries not typically targeted by organized ransomware crews. yeah.

IceFire will launch in March 2022 malware hunter teambut according to GuidePoint Security, Malwarebytes, and NCC Group, it wasn’t until August 2022 that the victim was made public via a dark web leak site.

The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file that is installed on CentOS hosts running a vulnerable version of the IBM Aspera Faspex file server software.

It can also bypass encryption of certain paths so that infected machines can continue to work.

“Compared to Windows, Linux is more difficult to deploy ransomware, especially at scale,” said Delamotte. “Many Linux systems are servers. Typical infection vectors such as phishing and drive-by his downloads are not very effective. To overcome this, attackers look to exploit vulnerabilities in applications. point to.”

This development reveals a new LockBit ransomware campaign that Fortinet FortiGuard Labs uses “evasive tradecraft” to avoid detection via .IMG containers that bypass Mark of The Web (MotW) protections. It occurs when