Wildcarding refers to the use of a wildcard character in a security policy or configuration rule to cover multiple devices. SentinelLabs recommends wildcarding this Digital Ocean IP address in case the actors pivot to a new delivery domain.
IceFire payloads are hosted on the DigitalOcean droplet, a virtual machine hosted on the DigitalOcean cloud computing platform using the IP address 159.65.217.216. IceFire Payload uses RSA encryption, Tor network This was done so that critical parts of systems are not encrypted and remain operational.Īnother new tactic observed in the IceFire Linux variant was the exploitation of a vulnerability instead of traditional delivery through phishing messages or pivoting through certain post exploitation third party frameworks including Empire, Metaspoilt, Cobalt Strike. xmlb, and p and paths /boot, /dev, /etc, /lib, /proc, /srv, /sys, /usr, /var, /run. The IceFire Linux payload is scripted to exclude encryption of certain system- critical files and paths including, files extensions.
Using this exploit, the system downloaded the IceFire payloads and executed them to encrypt files and rename them with the ".ifire" extension, after which the payload was designed to delete itself to avoid detection. The IceFire Linux version was found deployed against hosts running CentOS, an open-source Linux distribution, that ran a vulnerable version of IBM Aspera Faspex file server software. The payload also runs successfully on Intel-based distributions of Ubuntu and Debian. The IceFire Linux version is a 2.18 MB, 64 bit ELF (executable and linkable) binary file compiled with the open source GCC (GNU compiler collection) for AMD64 system processor architecture. Characteristics of the IceFire Linux variant Double extortion occurs when attackers steal data as well encrypting it, and usually ask for ransom that's double the usual payment. The attackers’ tactics are consistent with those of the "big-game hunting" (BGH) ransomware families, which involve double extortion, attacks against large enterprises, the use of numerous persistence mechanisms, and evasion tactics such as deleting log files, according to the SentinelLabs report.
Contrary to past behavior targeting technology companies, the Linux variant of IceFire was observed attacking media and entertainment companies.
0 kommentar(er)
