IceFire ransomware targets Linux, exploits IBM vulnerability

IceFire ransomware is targeting Linux servers by exploiting a known vulnerability in IBM Aspera Faspex, according to new research by SentinelOne.

In a blog post Thursday, Alex Delamotte, senior threat researcher at SentinelOne, detailed the recent threat against enterprises that SentinelLabs observed beginning in mid-February. IceFire emerged on the ransomware landscape one year ago, but claimed a top three spot on the NCC Group's most active threat groups list in September.

Now, IceFire activity has expanded to target Linux servers in addition to Windows systems. Like many ransomware gangs and threat actors, IceFire appears to be leveraging a known vulnerability that remains unpatched in some enterprise environments.

SentinelOne observed these attacks against "several media and entertainment sector organizations worldwide," and it appears most threat detection tools are not effective in catching the new Linux version. The blog post warned that the IceFire binary was detected by none of the 61 threat detection engines compiled by VirusTotal.

"Currently observations indicate the attackers deployed the ransomware by exploiting CVE-2022-47986, a deserialization vulnerability in IBM Aspera Faspex file sharing software," Delamotte wrote in the blog post.

IBM detailed the flaw, which was patched in January, in a security bulletin that was updated earlier this week. While CVE-2022-47986 initially received a CVSS score of 8.1, it was updated to a critical 9.8 out of 10 on February 17. If exploited, the flaw could allow a remote attacker to execute arbitrary code on the system.

CISA added the flaw to its Known Exploited Vulnerability catalog on February 21 and gave federal agencies a due date of March 14 to remediate per vendor instructions. However, IceFire attacks began in mid-February.

"This is very fast exploitation," Delamotte told TechTarget Editorial. "Despite being officially released on February 17, 2023, the vulnerability has a '2022' prefixed CVEID, meaning a record of the vulnerability existed during 2022. Several vulnerability analysis writeups explain how to exploit the flaw, and there is at least one alleged proof-of-concept exploit on GitHub."

IceFire is not the only adversary demonstrating fast exploitation of CVEs. A recent Rapid7 report analyzed "Time to Known Exploitation" and found 56% of the featured vulnerabilities were exploited within one week of public disclosure.

New trend targets Linux

Another unfortunate trend documented in the SentinelOne blog post was the increased targeting of Linux systems. Delamotte emphasized how the "Linux ransomware trend accelerated in 2022" and is used by prominent gangs like BlackBasta, Hive and Vice Society. Now, IceFire has hopped on the bandwagon.

Prior to the recent activity, researchers saw IceFire focusing only on Windows. "This strategic shift is a significant move that aligns them with other ransomware groups who also target Linux systems," Delamotte wrote in the blog.

While the evolution of ransomware gangs targeting Linux continues to grow, Delamotte highlighted several factors that make it more challenging to attack Linux systems. For one, she noted that because many Linux systems are servers, common initial attack vectors such as phishing and drive-by download are less effective.

"To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability," Delamotte wrote in the blog.

Once threat actors gain access, the IceFire ransomware targets user and shared directories for encryptions. Because those are unprotected parts of the file system, Delamotte noted they do not require elevated privileges to write or modify.

Another notable aspect of the attack is how several file sharing clients could still connect to infected servers and download "benign encrypted files" , according to the blog post. Delamotte told TechTarget Editorial the developer was careful to avoid encrypting critical system paths and file extensions, which suggests they likely worked with destructive malware before or was heavily informed on the importance of keeping the system functional.

"File shares receive constant connections -- especially from systems outside of an organization's internet -- making them a very appealing target for ransomware actors," Delamotte said.

Arielle Waldman is a Boston-based reporter covering enterprise security news.