New Linux versions of the IceFire ransomware have been deployed in February, against organization networks of quite a few media and enjoyment sector companies throughout the world.
According to security researchers at SentinelOne, the marketing campaign leveraged the exploitation of CVE-2022-47986, a lately patched deserialization vulnerability in IBM Aspera Faspex file-sharing computer software.
“The operators of the IceFire malware, who formerly centered only on targeting Windows, have now expanded their emphasis to include Linux,” wrote SentinelOne senior threat researcher Alex Delamotte in Thursday’s advisory.
The shift represents a strategic shift, says the security researcher, that aligns the IceFire team with other ransomware teams that have also advanced to concentrate on Linux methods.
“In comparison to Windows, Linux is much more complicated to deploy ransomware in opposition to, notably at scale,” Delamotte wrote. “Many Linux devices are servers: standard an infection vectors like phishing or generate-by down load are considerably less productive. To get over this, actors change to exploiting software vulnerabilities.”
In the most recent assaults observed by SentinelOne, upon execution, the IceFire Linux edition downloaded two separate payloads that encrypt data files and then delete the malware.
“IceFire ransomware doesn’t encrypt all information on Linux: it avoids encrypting selected paths so that critical parts of the system are not encrypted and continue to be operational,” stated Delamotte.
“Interestingly, a number of file-sharing shoppers downloaded benign encrypted data files right after IceFire had encrypted the file server’s shared folders. Despite the attack on the server, customers had been still in a position to down load information from the encrypted server.”
At the time of creating, IceFire has reportedly impacted victims in Turkey, Iran, Pakistan and the United Arab Emirates (UAE). The Linux variants observed by SentinelOne ended up detected by none of the 61 VirusTotal engines.
“This evolution for IceFire fortifies that ransomware targeting Linux carries on to develop in attractiveness through 2023,” Delamotte included. “While the groundwork was laid in 2021, the Linux ransomware craze accelerated in 2022 when illustrious teams added Linux encryptors to their arsenal, including the likes of BlackBasta, Hive, Qilin, Vice Culture (aka HelloKitty) and other people.”
Ransomware is not the only sort of malware progressively targeting the Linux OS. In December 2022, Development Micro observed danger actors using the Chaos RAT to improve the efficiency of cryptocurrency mining assaults towards Linux techniques.
Some parts of this article are sourced from:
www.infosecurity-journal.com