Does IceFire Ransomware Portend a Broader Shift From Windows to Linux?

An anonymous reader shares this report from Dark Reading: In recent weeks, hackers have been deploying the "IceFire" ransomware against Linux enterprise networks, a noted shift for what was once a Windows-only malware.

A report from SentinelOne suggests that this may represent a budding trend. Ransomware actors have been targeting Linux systems more than ever in cyberattacks in recent weeks and months, notable not least because "in comparison to Windows, Linux is more difficult to deploy ransomware against, particularly at scale," Alex Delamotte, security researcher at SentinelOne, tells Dark Reading....

"[M]any Linux systems are servers," Delamotte points out, "so typical infection vectors like phishing or drive-by download are less effective." So instead, recent IceFire attacks have exploited CVE-2022-47986 — a critical remote code execution (RCE) vulnerability in the IBM Aspera data transfer service, with a CVSS rating of 9.8.

Delamotte posits a few reasons for why more ransomware actors are choosing Linux as of late. For one thing, she says, "Linux-based systems are frequently utilized in enterprise settings to perform crucial tasks such as hosting databases, Web servers, and other mission-critical applications. Consequently, these systems are often more valuable targets for ransomware actors due to the possibility of a larger payout resulting from a successful attack, compared to a typical Windows user."

A second factor, she guesses, "is that some ransomware actors may perceive Linux as an unexploited market that could yield a higher return on investment."
While previous reports had IceFire targetting tech companies, SentinelLabs says they've seen recent attacks against organizations "in the media and entertainment sector," impacting victims "in Turkey, Iran, Pakistan, and the United Arab Emirates, which are typically not a focus for organized ransomware actors."

Patch your servers Linux admins

[Anonymous Coward]

You are welcome.

Linux ransomware ought not to be allowed

[jddj]

... Before I can get a good Photoshop replacement on Linux.

Re:

[myowntrueself]

A lot of people assume that Linux is "safe" just because it's "Linux", but in reality it has vulnerabilities just like every OS does. The real reason Windows is targeted so frequently is because of it's large market-share and because there aren't 1000 different versions. That complacency makes Linux an easy target in some cases. Let's also not forget that most phone-based operating systems are Linux-based, so in that sense, "Linux Malware" is hardly rare.

Sure Linux has vulnerabilities. But I wonder how many of the ransomware-affected Linux machines were running with SELinux in enforcing mode.
Note I'm not pondering how many servers, in total, are running with SELinux in enforcing. I'm wondering how effective it is in preventing this sort of thing.

Re:

[eneville]

Probably quite effective, but more in the way that it prevents say Apache which might have been able to encrypt a directory from being able to SSH sideways to another machine to repeat.

Unless you've enabled httpd exec ...

Re:

[eneville]

My take on this is one platform has a common attack surface, and active directory makes life easier for the attacker due to its call-home model.

Most Linux setups in the enterprise disallow call-home to the AD analogue/management/admin machines.

To me this makes a massive difference when it comes to the blast radius of a compromised box.

Re:

[StormReaver]

The real reason Windows is targeted so frequently is because of it's large market-share and because there aren't 1000 different versions.

The real reason Windows is targeted so frequently is because it's so damned easy to compromise. We found this out when Linux was dominating web services, yet Windows still accounted for almost 100% of web server compromises. Windows is just way, way, WAY easier to compromise because of its truly shitty codebase. I doubt that will ever change.

There are probably several reasons why Linux is being increasingly targeted, but increasing popularity is likely at the very bottom of the list. It was already popular

Re:Linux is just an OS

[MeNeXT]

A lot of people assume that Linux is "safe" just because it's "Linux"

No. Linux is safe because it doesn't hide how it works. It's philosophy prioritizes security over ease of use.

The real reason Windows is targeted so frequently is because of it's large market-share and because there aren't 1000 different versions.

When you play with numbers you can see what you want to see. There are more servers running Linux than Windows.

It's funny how I can install the same software on all those 1000 different versions not to mention the BSD's and their derivatives.

That complacency makes Linux an easy target in some cases. Let's also not forget that most phone-based operating systems are Linux-based, so in that sense, "Linux Malware" is hardly rare.

Do you own shares in Microsoft? What complacency? What are you talking about?

Re:

[Uldis Segliņš]

Market share, yes. 1000 versions, absolutely not. Desktop variations and configuration possibilities are not 1000 versions for a ransomware. From a ransomwares point of view Linux has just a few versions while Windows is huge number of combinations of all possible internal components. If you could run something on Linux 15 years ago, you can run it now. Can't be said about Windows.

No, it doesn't

[mschuyler]

You are conflating Linux on servers, which is incredibly common, with Linux on the desktop, where it isn't.

Re:

[tbords]

You are conflating Linux on servers, which is incredibly common, with Linux on the desktop, where it isn't.

The kernel is the same in both instances. The same software can run on both desktop and server, though the server often is run headless.

Probably like a lot of recent situations

[93 Escort Wagon]

I wouldn't be surprised if they're first phishing non-technical users, then using credentials / access gained from that to get at more privileged systems where they can then leverage local privilege escalation exploits.

In which case these issues would be as much about auditing / managing / limiting which accounts really need access to critical systems as anything else. Does your CEO really need the ability to log into your control systems?

Question,

[ttspttsp]

how many people use IBM's Aspera data transfer service? I noticed it some years ago (at my job) and called IBM about it. After a one hour teleconference with 5 (presumably highly-paid) IBM reps, I learned that it's not much better than tuned BBCP or the like, and it's hella-expensive... I would never recommend it.

Re:

[olsmeister]

It gets even more expensive if it allows ransomware into your system.

Re:

[bn-7bc]

oh yes yo can, there where ip stacks for msdos, an I would bet that there are bothg ftp clients en usenet clients avalable, if you dig deep enugh, and theere sertainly cere ethernet card available with dos drivers. So all the components are there. Ok certainly the web would be a challenge but as we all know here web != Internet

Well it's a different Software distribution model

[Casandro]

While on many operating system environments users are downloading installers from dubious websites or "App-Stores" with no quality standards, software distribution on most Linux-systems is a lot different.
There you have your distribution. Most end users will never have to install software from outside that distribution. You have your package manager and it contains a curated set of software. There are typically minimal standards set by your distribution, which keeps out deliberate malware. Nobody enters "so

Re: Well it's a different Software distribution mo

[kenh]

If you have end-users installing applications on their desktops, you've recreated the very worst part of Windows XP "security" in Linux (every user an admin)! Congratulations!

Re:

[bn-7bc]

Without potting words into Casandros mouth, I thing the end users in question are meant to referee to the computers owner (usually in a home environment this is the same computers only user) and not to a user account vs a root account. And anyway if the root user and the non root user are different persons, the person whith the root privileges has to trust the non root user enugh to add them to the sudoers file/ assign the needed selinux privileges.

Re:

[bn-7bc]

well unless ofc you want to run 64bit windows sw that is not sopported by wine. hold on whit micrososfts naming conventions I might ave misstaken win32 to only sopport 32bit sw, if I'm mistaken please do correct me

IceFire exploit was removed in Faspex 4.4.2

[terrorubic]

“IBM Aspera Faspex 4.4.2 Patch Level 1 [nist.gov] and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.”

to funny!

[oldgraybeard]

"can transfer data up to 100x faster than FTP and HTTP" I'd better get right on this!

Boob factor

[Retired ICS]

As more and more incompetent boobs use Linux to do more and more childish stupid shit, it will be more successuflly targetted by malware. Its present saving grace (the same thing that protects "big iron") is that the incompetent children are relegated to playing their childish endeavours at the childrens table using childrens toys. The malware stays where it is most effective -- targetting the children and their silly games.

The interesting thing is that the problem is not the Operating System but rather t