9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.
The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8), according to cybersecurity company SentinelOne.
βThis strategic shift is a significant move that aligns them with other ransomware groups that also target Linux systems,β Alex Delamotte, senior threat researcher at SentinelOne, said in a report shared with The Hacker News.
A majority of the attacks observed by SentinelOne have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E., countries that are not typically targeted by organized ransomware crews.
IceFire was first detected in March 2022 by the MalwareHunterTeam, but it wasnβt until August 2022 that victims were publicized via its dark web leak site, according to GuidePoint Security, Malwarebytes, and NCC Group.
The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file thatβs installed on CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software.
Itβs also capable of avoiding encrypting certain paths so that the infected machine continues to be operational.
βIn comparison to Windows, Linux is more difficult to deploy ransomware againstβparticularly at scale,β Delamotte said. βMany Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective. To overcome this, actors turn to exploiting application vulnerabilities.β
The development comes as Fortinet FortiGuard Labs disclosed a new LockBit ransomware campaign employing βevasive tradecraftβ to avoid detection through .IMG containers that bypass Mark-of-the-Web (MotW) protections.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.