In this issue:

Ghostscript - RCE affecting Ghostscript document conversion toolkit;
Eldorado RaaS - new player on the ransomware scene targets 16 victims worldwide;
Ticketmaster/Sp1derHunters - hacker group prints out additional 39k tickets;
Neiman Marcus - 31m customers affected, and not 64k as first reported;
PhilHealth/Medusa Ransomware - 42m leaked sets of data: lawmakers demand immediate explanation;
Polyfill.io/Hertzer CSP - a supply chain attack via cloud affects Mercedes, Warner Bros, Hulu…
Operation MORPHEUS - a crackdown on servers using Cobalt Strike for malicious purposes;

Vulnerability of the Week - Ghostscript RCE (CVE-2024-29510) - Update Now

A remote code execution vulnerability in the Ghostscript document conversion toolkit (CVE-2024-29510) is being actively exploited. This flaw affects Ghostscript 10.03.0 and earlier, allowing attackers to bypass the -dSAFER sandbox and perform high-risk operations like command execution and file I/O. Ghostscript is widely used in Linux systems and various document conversion software. Security researchers recommend updating to the latest version to mitigate the risk. Attackers are already exploiting this vulnerability by using EPS files disguised as JPGs to gain shell access to vulnerable systems.

For more update information go here.

In other news

[Ransomware]
Eldorado RaaS

Eldorado is an emerging ransomware-as-a-service (RaaS) operation targeting Windows and Linux systems with variants for different platforms. It uses Golang, Chacha20 for file encryption, and RSA-OAEP for key encryption. Its data leak site lists 16 victims as of June 2024, including companies in the U.S., Italy, and Croatia.

[Data Breach]
Ticketmaster - Sp1derHunters

In an extortion campaign against Ticketmaster, hackers leaked 39,000 print-at-home tickets for 150 events, including Pearl Jam and Foo Fighters. The group 'Sp1derHunters' sells data stolen from Snowflake accounts. Initially, the hackers demanded $500,000, later raising it to $2 million after leaking 166,000 Taylor Swift ticket barcodes. Ticketmaster claims the data is useless due to their SafeTix technology, which refreshes barcodes frequently.

[Data Breach]
Neiman Marcus 

A May 2024 data breach at Neiman Marcus exposed over 31 million customer email addresses, despite the company reporting only 64,472 affected people. The breach included names, contact information, birth dates, gift card info, transaction data, partial credit card numbers, Social Security numbers, and employee IDs.

[Data Breach]
PhilHealth - Medusa Ransomware

PhilHealth is under scrutiny for not informing over 42 million individuals of a data breach from a ransomware attack last fall. Lawmakers demand a status report and notification plan be issued this week. The Medusa ransomware attack in September 2023 compromised data, affecting the health information of millions.

[Supply Chain Attack]
Polyfill.io - Hertzer CSP

​​The Polyfill.io supply chain attack is more extensive than initially believed, impacting over 380,000 hosts, with around 237,700 located in Hetzner’s cloud network. Prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson have been affected, embedding malicious scripts in their HTTP responses as of July 2, 2024.

[Legal]
Operation MORPHEUS

Operation MORPHEUS, a coordinated law enforcement effort, dismantled nearly 600 servers linked to cybercriminals using Cobalt Strike. The crackdown targeted unlicensed versions of this pen-testing tool from June 24-28, 2024. The operation involved global authorities and was led by the UK NCA, rendering 590 of 690 flagged IP addresses inaccessible.

Resources

• Bleeping Computer: RCE bug in widely used Ghostscript library now exploited in attacks

• The Hacker News: New Ransomware-as-a-Service 'Eldorado' Targets Windows and Linux Systems

• Bleeping Computer: Hackers leak 39,000 print-at-home Ticketmaster tickets for 154 events

• Bleeping Computer: Neiman Marcus data breach: 31 million email addresses found exposed

• The Record: Philippine lawmakers grill health agency executive over breach affecting 42 million people

• The Hacker News: ​​Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies

• The Hacker News: Global Police Operation Shuts Down 600 Cybercrime Servers Linked to Cobalt Strike