In today’s episode, we explore a critical remote code execution vulnerability in the Ghostscript library (CVE-2024-29510) exploited in the wild (https://www.bleepingcomputer.com/news/security/rce-bug-in-widely-used-ghostscript-library-now-exploited-in-attacks/), the significant impact of the CDK Global cyberattack on Sonic Automotive’s sales and operations (https://www.cybersecuritydive.com/news/sonic-automotive-sales-decline-cdk-attack/720722/), and the rise of the Eldorado ransomware-as-a-service targeting Windows and Linux systems (https://thehackernews.com/2024/07/new-ransomware-as-service-eldorado.html). Tune in to get the latest insights and expert opinions on these pressing cybersecurity issues.
Video Episode: https://youtu.be/dGMbjah4Gho
Sign up for digestible cyber news delivered to your inbox: news.thedailydecrypt.com
00:00 – Intro
01:00 – Eldorado RaaS Encrypts Windows, Linux Files
03:50 – CDK Cyberattack Cripples Sonic Automotive Sales
05:42 – Ghostscript RCE Bug Exploited in Active Attacks
Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/
Logo Design by https://www.zackgraber.com/
Episode Tags
Ghostscript, CVE-2024-29510, vulnerability, EPS, remote code execution, Linux systems, high-risk attacks, document conversion, protection, Sonic Automotive, CDK Global, cyberattack, financial performance, Ransomware-as-a-Service, Eldorado, encryption, cross-platform technologies
Search Phrases
- How to protect against Ghostscript CVE-2024-29510 vulnerability
- Sonic Automotive cyberattack news
- Impact of CDK Global cyberattack on Sonic Automotive
- Eldorado ransomware encryption techniques
- Ghostscript EPS files exploit
- Ransomware-as-a-Service latest threats
- Financial impact of cyberattacks on automotive industry
- Advanced cross-platform ransomware
- Ghostscript remote code execution vulnerability 2024
- Eldorado ransomware victims 2024
Jul9
There is a new ransomware as a service named Eldorado that is now encrypting files on both windows and Linux systems using advanced cross-platform technologies.
And it’s already targeted 16 victims across multiple industries since its debut in March of 2024. How does Eldorados ransomware encryption method differ from the other well-known strains, like lock bit or baboon? The effects of the CDK global ransomware attack. A few weeks ago, still remain as Sonic automotive vehicle sales have plummeted.
How are CDK customers recovering and what are the longterm impacts?
It might have on their financial performance.
And finally.
Thursday, remote code execution, vulnerability in ghost script that comes pre-installed on many Linux systems. That’s now being exploited. Through EPS files disguised as JPEGs.
How can you protect? The document conversion services against this go scrip, vulnerability. You’re listening to the daily decrypt.
It’s both a sad and exciting day when we get to announce a new ransomware as a service operation.
This time it’s named Eldorado. And it targets both windows and Linux systems with specialized locker variants.
It’s specific strain of malware surfaced on March 16th, 2024.
As of late June Eldorado has claimed 16 victims with 13 in the U S two in Italy and one in Croatia. And specifically it’s targeting industries, including real estate education, professional services, healthcare and manufacturing. So it seems like they don’t really have a type they’re just looking to get their foot in the door.
Eldorado.
Is similar to all of the major names in ransomware as a service as it is a double extortion ransomware service which is a devilish tactic that builds on the traditional form of ransomware where threat actors.
Would gain access to a network. Encrypt all the files. And then sell you the decryption key for an exorbitant amount of money.
So that you can decrypt the files and carry on with your business.
Well, it’s now evolved to that. Plus they exfiltrate all your data and threatened to sell it on the dark web. If you don’t pay.
Which is much more effective because standard practices to back up your data. So you can get back up online. And if you do that correctly, Encrypting your data. It doesn’t do anything because you’ll be able to back it up. Oftentimes it’s not done correctly. And your backups are also encrypted.
But in the case,
We’re backups are appropriately implemented. These ransomware artists use double extortion.
And this service has all the indicators that is very organized. As the affiliate program was advertised on the ransomware forum ramp, which.
Indicates a level of professionalism and organization. You’d see in the top ransomware as a service groups.
A security research firm was able to infiltrate this ransomware group and identified the representative as a Russian speaker. And noted that Eldorado does not share any sort of code with the previously.
Leaked ransomware like locked bit or Bebout.
And like mentioned before. This Target’s primarily windows and Linux environments. And the encrypter comes in four different formats. ESX PSI. Yes. 6 64 when and when 64.
Which enhances the flexibility and increases its threat potential across different system architectures.
Eldorado uses Golang for its cross-platform capabilities. Cha-cha 20 for filing encryption and RSA. Oh, AEP for key encryption, it can also encrypt files. On shared networks using SMB.
The windows variant employs a PowerShell command to overwrite the locker file with random bites before deleting it. Uh, aiming to erase the trace. Of the threat actor.
And for more key indicators of compromise.
Check out the article by the hacker news in our show notes.
And I’m hopeful that we won’t hear much more about this ransomware as a service.
But given its capabilities, we probably will.
This next story hits a little close to home, which is why I chose to include it in this episode as my car. Stopped working last night. And I got to spend an hour and a half on the phone with the technicians. Just trying to find me an appointment because all of the scheduling was still down due to the ransomware attack.
Needless to say. I couldn’t get an appointment at the dealership for. Over a month and a half.
Which is in line with what the news is reporting.
As an effect of the CDK global ransomware attack that happened three or four weeks ago.
So Sonic automotive, which is a fortune 500 company has reported a significant drop in car sales.
Since June 19th.
Which is due to the fact that all their systems were down. So they weren’t able to process these car sales at the same speed people. People still want to buy cars. They just can’t.
You know, it’s kind of like fast food.
Is a process that changed the market completely. As far as restaurants go.
Because they’re just able to serve more and more customers. Faster, thus making more money. But it’s like if the stove got ransomwared and we had to take the stove down, right.
There are alternate methods. Like maybe they go get some hot plates from target or whatever, but it just slows down the process.
Which is exactly what ransomware can do.
In fact, over 15,000 car dealerships across north America, rely on CDKs cloud-based services.
And in the past couple of weeks, CDK was actually able to fully recover, bringing their core services back online. But the trickle down effect is that. These individual dealers still have to keep their services offline.
Or we’re unable to fully restore their services.
So, yeah, this is just one example of how long it takes to recover.
From a ransomware attack.
And how helpless you can be if the ransomware attack happened earlier on in the supply chain, like it did here.
And finally the hottest new vulnerability being exploited in the wild.
Is there a remote code execution vulnerability found in the ghost script document conversion toolkit.
That is widely used on Linux systems. And often integrated with software, like. Image magic Libra office. Inkscape scribe us. And all kinds of other softwares.
This vulnerability affects all installations of ghost script 10. Point zero 3.0 and earlier it allows attackers to escape the dash D safer sandbox, enabling dangerous operations, such as command execution.
And file IO.
Attackers are exploiting this vulnerability in the wild.
Using EPS files disguised as JPEG images to gain shell access to these vulnerable systems.
If you work in it.
And either no, or unsure.
If your systems are vulnerable.
Cody and labs has developed and released a postscript file. That can be used to detect these vulnerable systems.
So make sure to check out the link by bleeping computer in the show notes below.
So you can keep your system safe.
This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don’t forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.