Experts warn of hacking campaign that is targeting organization using the Salt platform for the management of their infrastructure, the last victim is the Ghost blogging platform.
The attackers exploited unpatched vulnerabilities to breach the Salt installations. Salt (aka SaltStack) is Python-based, open-source software for event-driven IT automation, remote task execution, and configuration management.
A few days ago, researchers from F-Secure disclosed a number of vulnerabilities in the “Salt” framework, including two issues that could be exploited by attackers to take over Salt installations.
The two flaws, tracked as CVE-2020-11651 and CVE-2020-11652, are a directory traversal issue and an authentication bypass vulnerability respectively. Chaining the issue, an attacker could bypass authentication and run arbitrary code on Salt master servers exposed online.
Administrators of Salt servers started reporting attacks exploiting the above vulnerabilities last week, threat actors used them to deliver backdoors and miners.
The same vulnerabilities in the Salt platform have been exploited during the weekend to hack the infrastructure of Lineageos.
A few hours later another security incident was reported by the media, ZDNet reported that the Node.js-based blogging platform Ghost suffered a similar incident. The attackers compromised the blogging platform to deploy a cryptocurrency miner, the intrusion took place on May 3, 2020.
“Around 1:30AM UTC on May 3rd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure (please see https://docs.saltstack.com/en/latest/topics/releases/3000.2.html for more information). This affects both Ghost(Pro) sites and Ghost.org billing services.” reads the statement published by Ghost Team.
“All traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network. The team is now working hard on remediation to clean and rebuild our entire network.”
The attackers had access to the Ghost(Pro) sites and Ghost.org billing services, but no personal and financial data were exposed as result of the intrusion.
The Ghost team took down its servers and addressed the flaws before resuming operations.
Experts believe that we will observe a spike in attacks against vulnerable Salt install exposed online in the next weeks. Threat actors could exploit the two vulnerabilities to install backdoors, miners, and ransomware in the compromised infrastructures.
ZDNet speculates the involvement of the operators of the infamous Kinsing botnet behind the attacks reported in the last hours.
Administrators should install the available security updates to protect their installs.
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Salt, hacking)