uTalk

A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.
The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8), according to cybersecurity company SentinelOne.
"This strategic shift is a significant move that aligns them with other ransomware groups that also target Linux systems," Alex Delamotte, senior threat researcher at SentinelOne, said in a report shared with The Hacker News.

A majority of the attacks observed by SentinelOne have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E., countries that are not typically targeted by organized ransomware crews.

IceFire was first detected in March 2022 by the MalwareHunterTeam, but it wasn't until August 2022 that victims were publicized via its dark web leak site, according to GuidePoint Security, Malwarebytes, and NCC Group.

IceFire Ransomware
The ransomware binary targeting Linux is a 2.18 MB 64-bit ELF file that's installed on CentOS hosts running a vulnerable version of IBM Aspera Faspex file server software.

It's also capable of avoiding encrypting certain paths so that the infected machine continues to be operational.

"In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale," Delamotte said. "Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective. To overcome this, actors turn to exploiting application vulnerabilities."

The development comes as Fortinet FortiGuard Labs disclosed a new LockBit ransomware campaign employing "evasive tradecraft" to avoid detection through .IMG containers that bypass Mark of The Web (MotW) protections.

The Securities and Exchange Commission today announced that Blackbaud Inc., a South Carolina-based public company that provides donor data management software to non-profit organizations, agreed to pay $3 million to settle charges for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers.

The SEC’s order finds that, on July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or social security numbers. Within days of these statements, however, the company’s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information. These employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures. Due to this failure, in August 2020, the company filed a quarterly report with the SEC that omitted this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

The SEC's order finds that Blackbaud violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-13, and 13a-15(a) thereunder. Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay a $3 million civil penalty.

The SEC’s investigation was conducted by Brent Wilner and supervised by Diana Tani, Carolyn Welshhans, and Mr. Hirsch. The SEC appreciates the assistance of the Federal Trade Commission and the Offices of the Attorneys General for the States of Indiana and Vermont.

Most areas, such as the corporate network, endpoints, servers, and cloud infrastructure, are typically well-visible to security teams. They take advantage of this visibility to impose the necessary security and compliance requirements. This is not the case with sensitive data stored in production or analytic databases, data warehouses, or data lakes.

To locate sensitive data and enforce access controls and security policies, security teams must rely on data teams. This is causing major problems for both the security and data teams. It erodes the company's security and compliance, putting it at risk of exposing sensitive data, large fines, reputational damage, and other consequences. In many cases, it also limits the company's ability to scale up data operations.

This article examines how Satori, a data security platform, gives control of the sensitive data in databases, data warehouses and data lakes to the security teams.

Satori's automated data security platform provides a simple and easy way to meet security and compliance requirements while reducing risk exposure.

Why is Securing Data Stores Hard?#
Security teams don't have good visibility and enforcement of policies regarding access to DBs, data warehouses or data lakes. Take a look at an example.

Nick is a security engineering manager at ACME organization. He is responsible for keeping up with changing security and compliance regulations such as HIPAA, SOC2, and ISO. This is a difficult task since security and compliance regulations are always changing and evolving. Nick is good at his job and can wade through the complexities of the different regulations and determine the necessary security measures to ensure that ACME remains in compliance. This is important so that ACME doesn't fail an audit, expose sensitive data, receive fines or worse.

Then, one day, Nick is suddenly tasked with meeting security and compliance requirements across all of ACME's analytic and production data.

Nick faces a problem. Although he has done his job and determined the necessary steps to ensure security and compliance it is very difficult to actually carry out these steps and implement the security policies. There are several reasons why Nick's job is difficult and frustrating that are explored in more detail below.

Visibility Over Sensitive Data and Logs#
Nick's lack of visibility limits his ability to implement and manage security policies and compliance requirements. Three main sources impede his visibility.