IceFire Ransomware Exploits IBM vulnerability, Targets Linux

According to new research by SentinelOne, IceFire ransomware is targeting Linux servers by exploiting a known vulnerability in IBM Aspera Faspex. IceFire emerged on the ransomware landscape one year ago but claimed a top three spot on the NCC Group’s most active threat groups list in September. Now, IceFire activity has expanded to target Linux servers in addition to Windows systems. Like many ransomware gangs and threat actors, IceFire appears to be leveraging a known vulnerability that remains unpatched in some enterprise environments.

IceFire Ransomware Exploits IBM vulnerability, Targets Linux

Check Also: Ransomware Attacks: How to protect your data in a few steps

IceFire operators exploit a deserialization vulnerability in the IBM Aspera Faspex file-sharing software (tracked as CVE-2022-47986) to hack into targets’ vulnerable systems and deploy their ransomware payloads. This high-severity pre-auth RCE vulnerability was patched by IBM in January and has been exploited in attacks since early February.

CISA also added the security flaw to its catalogue of vulnerabilities exploited in the wild on February 2021. It also ordered federal agencies to patch their systems until March 14.

“In comparison to Windows, Linux is more difficult to deploy ransomware against–, particularly at scale. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective,” SentinelLabs says.

“To overcome this, actors turn to exploit application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability.”

Shodan shows more than 150 Aspera Faspex servers exposed online, most in the United States and China.

See Also: What is the Best Threat Protection Against Ransomware?