IceFire, a previously known Windows-based ransomware strain, has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8), according to cybersecurity company SentinelOne.
A majority of the attacks observed by SentinelOne have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E., countries that are not typically targeted by organized ransomware crews.IceFire was first detected in March 2022 by the MalwareHunterTeam, but it wasn't until August 2022 that victims were publicized via its dark web leak site, according to GuidePoint Security, Malwarebytes, and NCC Group.
The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file that's installed on CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software. It's also capable of avoiding encrypting certain paths so that the infected machine continues to be operational.