Ghost wasn’t the only
victim of break-ins over the weekend that exploited critical holes in
infrastructure automation software for which patches were available
The popular blogging
platform Ghost has found itself in the crosshairs of attackers who gained
access to its IT infrastructure and installed cryptocurrency-mining malware on
it over the weekend. The intrusion occurred in the early hours of May 3rd and
affected Ghost(Pro) websites and the platform’s billing services, reads a statement on Ghost’s
website.
On the bright side, there’s
no direct evidence to corroborate that any private customer data, including
passwords, credit card information, or credentials, were compromised. The
company immediately introduced a set of security measures to combat the breach,
such as adding extra firewalls and cycling all sessions, passwords and keys on
all of the affected services.
The attempt to mine
cryptocurrency led to a spike in CPU usage and to the overloading of most of
Ghost’s systems, which actually rang the alarm bells. “All traces of the
crypto-mining virus were successfully eliminated yesterday, all systems remain
stable, and we have not discovered any further concerns or issues on our
network. The team is now working hard on remediation to clean and rebuild our
entire network,” said Ghost’s developer.
The investigation also
found that the attackers exploited critical vulnerabilities in Ghost’s server
management infrastructure. The vulnerabilities resided in Salt,
infrastructure automation software also known as SaltStack, and were used to
take over the Salt master server. Patches for these vulnerabilities – indexed
as CVE-2020-11651 and CVE-2020-11652 – were released
by the software maker in late
April, but apparently weren’t applied in due course. Exploitation of the flaws
allows the attacker to bypass all authentication and authorization controls and
gain full remote command execution as root.
The company also added that
it will continue to investigate the issue until it’s completely resolved and
will be contacting all of its customers about the incident. The platform
is home to blogs for the likes of Tinder, Mozilla and
DuckDuckGo.
More trouble
According to a story
broken by ZDNet,
cybercriminals have been particularly busy exploiting the vulnerabilities in
SaltServer to breach other unpatched installations, including those used for
LineageOS. The distributor of this open-source operating system suffered
an attack on May 2nd and notified its users about it within three
hours. Although the company didn’t go into specifics, the statement said that
an attacker used a CVE to gain access to its SaltStack master. Some were quick
to point out that the vulnerability had been disclosed for over a week and
systems should have been patched well before the attack happened.
Reports of similar attacks
were being shared on a SaltStack GitHub
thread, with some adding that
they detected cryptocurrency miners on their machines. According to one user in
the thread, there are more than 6,000 Salt servers still exposed online that
can be susceptible to the vulnerability.