Traditionally known to target only Windows systems, the new Linux version of the IceFire ransomware exploits an IBM Aspera Faspex file-sharing vulnerability, according to SentinelLabs. Credit: Huawei A novel Linux version of the IceFire ransomware that exploits a vulnerability in IBM’s Aspera Faspex file-sharing software has been identified by SentinelLabs, a research division of cybersecurity company Sentinel One.The exploit is for CVE-2022-47986, a recently patched Aspera Faspex vulnerability.Known up to now to target only Windows systems, the IceFire malware detected by SentinelLabs uses an iFire extension, consistent with a February report from MalwareHunterTeam — a group of independent cybersecurity researchers analyzing and tracking threats — that IceFire is shifting focus to Linux enterprise systems. Contrary to past behavior targeting technology companies, the Linux variant of IceFire was observed attacking media and entertainment companies. The attackers’ tactics are consistent with those of the “big-game hunting” (BGH) ransomware families, which involve double extortion, attacks against large enterprises, the use of numerous persistence mechanisms, and evasion tactics such as deleting log files, according to the SentinelLabs report. Double extortion occurs when attackers steal data as well encrypting it, and usually ask for ransom that’s double the usual payment.Characteristics of the IceFire Linux variantThe IceFire Linux version is a 2.18 MB, 64 bit ELF (executable and linkable) binary file compiled with the open source GCC (GNU compiler collection) for AMD64 system processor architecture. The payload also runs successfully on Intel-based distributions of Ubuntu and Debian. The IceFire Linux version was found deployed against hosts running CentOS, an open-source Linux distribution, that ran a vulnerable version of IBM Aspera Faspex file server software.Using this exploit, the system downloaded the IceFire payloads and executed them to encrypt files and rename them with the “.ifire” extension, after which the payload was designed to delete itself to avoid detection.The IceFire Linux payload is scripted to exclude encryption of certain system- critical files and paths including, files extensions .cfg, .o, .sh, .img, .txt, .xml, .jar, .pid, .ini, .pyc, .a, .so, .run, .env, .cache, .xmlb, and p; and paths /boot, /dev, /etc, /lib, /proc, /srv, /sys, /usr, /var, /run.This was done so that critical parts of systems are not encrypted and remain operational.Another new tactic observed in the IceFire Linux variant was the exploitation of a vulnerability instead of traditional delivery through phishing messages or pivoting through certain post exploitation third party frameworks including Empire, Metaspoilt, Cobalt Strike.IceFire Payload uses RSA encryption, Tor networkIceFire payloads are hosted on the DigitalOcean droplet, a virtual machine hosted on the DigitalOcean cloud computing platform using the IP address 159.65.217.216. SentinelLabs recommends wildcarding this Digital Ocean IP address in case the actors pivot to a new delivery domain. Wildcarding refers to the use of a wildcard character in a security policy or configuration rule to cover multiple devices. The IceFire payload uses an RSA encryption algorithm with an RSA public key hard-coded into the binary. Additionally, the payload drops a ransom note from an embedded resource in the binary and writes it to each directory targeted for file encryption, added the report.The IceFire ransom demand message includes a predefined username and password that must be used to access the ransom payment website, which is hosted on a Tor hidden service (websites and services are hosted on the decentralized Tor network to enable anonymous browsing).Compared to Windows, Linux presents more challenges for ransomware, especially on a large scale — many Linux systems are servers, which are less susceptible to common infection methods like phishing or drive-by downloads. This is why attackers have resorted to exploiting vulnerabilities in applications, as evident by the IceFire ransomware group, which used the IBM Aspera vulnerability to deploy their payloads. Related content news US government could mandate quantum-resistant encryption from July Post-quantum encryption standards, once defined, will gradually become mandatory for government contractors. By Gyana Swain May 22, 2024 3 mins Government IT Regulation Encryption news Microsoft Azure’s Russinovich sheds light on key generative AI threats Generative AI models have a larger attack surface than many CSOs might think. Microsoft Azure’s CTO walked through some of the more significant challenges facing developers and defenders. By David Strom May 22, 2024 4 mins Generative AI Data and Information Security news analysis Rise of zero-day exploits reshape security recommendations Research from Rapid7 shows a spike in zero-days contributing to quicker exploit timelines, leaving IT security teams under strain with a greater need for post-incident response. By Lucian Constantin May 22, 2024 7 mins Incident Response Zero-day vulnerability Security Practices opinion Reducing CSO-CIO tension requires recognizing the signs Given competing pressures and priorities, CIOs and CISOs often find themselves at odds. Knowing where tensions flair and how your partner operates is essential to maintaining a productive partnership. By David Gee May 22, 2024 6 mins CIO CSO and CISO IT Leadership PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe