Hackers are conducting a mass-scanning the web for vulnerable Salt installs that would allow them to hack the organizations, the last victim is that the Ghost blogging platform.
Experts warn of a hacking campaign that’s targeting organization using the Salt platform for the management of their infrastructure, the last victim is that the Ghost blogging platform.
The attackers exploited unpatched vulnerabilities to breach the Salt installations. Salt (aka SaltStack) is Python-based, open-source software for event-driven IT automation, remote task execution, and configuration management.
A few days ago, researchers from F-Secure disclosed a variety of vulnerabilities within the “Salt” framework, including two issues that would be exploited by attackers to require over Salt installations.
The two flaws, tracked as CVE-2020-11651 and CVE-2020-11652, are a directory traversal issue and an authentication bypass vulnerability respectively. Chaining the difficulty, an attacker could bypass authentication and run arbitrary code on Salt master servers exposed online.
Administrators of Salt servers started reporting attacks exploiting the above vulnerabilities last week, threat actors used them to deliver backdoors and miners.
The same vulnerabilities within the Salt platform are exploited during the weekend to hack the infrastructure of Lineageos.
A few hours later another security incident was reported by the media, ZDNet reported that the Node.js-based blogging platform Ghost suffered an identical incident. The attackers compromised the blogging platform to deploy a cryptocurrency miner, the intrusion happened on May 3, 2020.
“Around 1:30AM UTC on May 3rd, 2020 an attacker used a CVE in our saltstack master to realize access to our infrastructure (please see https://docs.saltstack.com/en/latest/topics/releases/3000.2.html for more information). This affects both Ghost(Pro) sites and Ghost.org billing services.” reads the statement published by Ghost Team.
“All traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and that we haven’t discovered any longer concerns or issues on our network. The team is now working hard on remediation to wash and rebuild our entire network.”
The attackers had access to the Ghost(Pro) sites and Ghost.org billing services, but no personal and financial data were exposed as results of the intrusion.
The Ghost team took down its servers and addressed the issues before resuming operations.
Experts believe that we’ll observe a spike in attacks against vulnerable Salt install exposed online within the next weeks. Threat actors could exploit the 2 vulnerabilities to put in backdoors, miners, and ransomware within the compromised infrastructures.