No method of infection actually mentioned in the article. Email phishing? Network vulnerability probing? Zero day leveraging?
Inquiring minds need to know.
A ransomware-as-a-service operation dubbed “Eldorado” that encrypts files on both Linux and Windows machines has infected at least 16 organizations – primarily in the US – as of June. Singaporean security shop Group-IB first spotted the criminal gang in March 2024, when it spotted it advertising an affiliate program and …
Wait a minute. I accept that the scumware can encrypt files on Linux, but won't that be limited to the files of the user ?
Unless </headsmack> they've found a privilege escalation hack, of course. But will said privilege escalation hack function on all distros ? I'm guessing not.
Could some Linux aficionados enlighten me on this ? Linux has actual security. How is this possible ?
/me guesses - well known user name, default password, allows ssh login as root, and by default has 'sudo' with no password and can run any privileged application...
This would point to a default setup problem. Like RPi OS maybe?
(sad but true)
This post has been deleted by its author
> This would point to a default setup problem. Like RPi OS maybe? (sad but true)
Really, really hoping anyone who is exposing a R'Pi has at least changed the default login setup.
Otherwise - is this this the sort of thing they call "a teachable moment" at BOFH school?
Let's see... That would be WIndows (consumer OS) for at least five years. Ubuntu for longer. Devuan. Mint. That's 100% of my sample set.
I'm trying to remember if my router setup did. I know getting if off 192.168.0.0/24 was a major pain, though...
The clue is in the fact that some access broker will have needed to establish a domain administrator's hash or password. You can make Linux servers part of a Windows AD domain. Once they are members of the domain, administrator access is going to give the ransomware all the access it needs to encrypt every file.
Access will be limited to the files accessible on the shares, and only those that the user (who is effectively running the malware) has read-write access to. A half-way competent BOFH will have the shares locked down to minimise access. Of course an incompetent/lazy BOFH will have the shares wide open to everyone ...
You want to encrypt as many different users' files as possible - preferably including the the login under which the database server is running. And the separate login for email server, the one for the other important server...
You *ought* to be able to recover (most of) the data from a random human user's files: source code back to the last commit, Word docs back to last snapshot of the home directory.
How does this malicious code execute itself on Linux systems without user action?
All about Eldorado Ransomware: “The ransomware builder asked for the domain administrator’s password .. There are Eldorado versions for Windows .. and Linux .. For Linux, the encryptor is simple and supports only the -path argument. It will only recursively walk through files in the specified directory.”
> It's a bit vague. ..
Apparently, Eldorado requires a default local user account and achieves root by exploiting a bug (CVE-2021-4034) in the polkit pkexec binary. Already patched.
> Does a router, e.g. a domestic / BT router, offer any protection against such intrusions ?
By default your ISP has remote access to your router. Remove the default image and install your own. That way a generic hack shouldn't work on your modem.
Or have the ISP's modem (which has router capabilities) connected to a router you bought yourself.
My old ISP (CenturyLink):
1. Had a port on the modem that allowed them full access for reconfiguring
2. Did not tell their tech support this (Tier 1 or 2)
3. Left the port accessible to the internet at large, instead of dropping attempts to connect to it at the ISP edge