IceFire Ransomware Exploits File Sharing Software to Attack Linux-Powered Enterprise Networks
The IceFire ransomware, previously associated with the ".ifire" file extension that targeted Windows servers, has been altered to a novel version that executes on Linux systems of enterprise networks. Media and entertainment companies in Turkey, Iran, Pakistan, and the United Arab Emirates have been the primary victims. IceFire exploits CVE-2022-47986, a deserialization vulnerability in the IBM Aspera Faspex file sharing software. The ransomware encrypts files and evades detection by deleting itself after executing; but most importantly, it allows certain paths that are critical for the functionality of the server to stay unencrypted, avoiding disruptions, damages, or shutdowns. Moving from Windows-based ransomware to targeting Linux networks is a tactic consistent with other prominent ransomware groups involved in big-game hunting (BGH), part of which focuses on targeting enterprises. This increasing use of ransomware groups using Linux encryptors likely correlates to the recent surge of enterprises transitioning to VMware ESXi virtual machines or similar Linux-managed infrastructure. CTIX analysts will continue to monitor this campaign and will provide updates as they become available.
Threat Actor Activity
TA499 Targets North American and European Officials with New Phishing Techniques
A malicious email campaign has struck high-profile individuals throughout Europe and North America, primarily those who have given financial support to Ukraine and their allies. The threat actors responsible are with the Russia-aligned TA499 organization, otherwise referred to as Lexus or Vovan. Active since 2021, TA499 has focused on exploiting those against the Russian state, especially once the Ukraine/Russia conflict began last year. Targets of the group often include top-level officials and high-profile individuals from around the globe such as Mayors, CEOs, and celebrities. This new campaign hones in on North American and European users, masking email/phone communications from threat actors pretending to be political figures such as Ukrainian Prime Minister Denys Shmyhal. However, this campaign is slightly different than the typical phishing operation conducted by other threat groups. In this instance, threat actors will distribute phishing emails containing no malware, and instead ask to set up a phone/video conference call to discuss current Russia/Ukraine tensions. These conversations often include video conferencing where TA499 actors would physically impersonate Ukrainian officials through deepfake AI technology. The actors will then save the recordings and post them on YouTube/RUTUBE and use them for Russian propaganda. While no malicious software was deployed on victim systems, users were taken advantage of and defamed because of these threat actors. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.
Critical Fortinet Vulnerability Allows RCE and Can Lead to DoS
The cybersecurity solutions provider Fortinet has patched a critical vulnerability that could allow unauthenticated remote attackers to execute arbitrary code on vulnerable devices. The flaw, tracked as CVE-2023-25610, affects the administrative interface of their FortiOS and FortiProxy products, and is the result of a buffer underflow/underwrite/underrun. A buffer underflow occurs when a program attempts to read input data that's shorter than the allocated space, causing memory leaks and memory corruption. An unauthenticated threat actor could exploit this flaw by sending maliciously crafted requests to vulnerable instances of FortiOS and FortiProxy. Successful exploitation would allow threat actors to crash the service, pilfer sensitive information, conduct remote code execution (RCE), and cause denial-of-service (DoS) conditions to its GUI. Fortinet states in their security advisory that there is no evidence that this vulnerability is being actively targeted and exploited by attackers. CTIX analysts recommend that all administrators managing Fortinet devices ensure that they download and install the latest patch to prevent exploitation. If Fortinet products cannot be patched at this time, Fortinet has provided manual workarounds which include completely disabling the HTTP/HTTPS administrative interface, blocking it from the public internet, or whitelisting authorized IP addresses to prevent unauthenticated users from accessing the vulnerable instances.
- Bleeping Computer: CVE-2023-25610 Article
- The Hacker News: CVE-2023-25610 Article
- Fortiguard: CVE-2023-25610 Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.