According to the development team of the Ghost blogging platform, hackers attacked it using the Authentication bypass vulnerabilities (CVE-2020-11651) and directory bypass (CVE-2020-11652) vulnerabilities in Salt in order to gain control over the main server.
Currently underway is a large-scale malicious campaign, during which were hacked systems of various companies. Cybercriminals actively scan the Network for servers with Salt software installed, used to manage and automate servers inside data centers, cloud server clusters, and corporate networks.
“Although the criminals had access to the Ghost (Pro) sites and Ghost.org billing services, they did not steal financial information or user credentials. Instead, they downloaded a cryptocurrency miner”, – inform Ghost developers.
The mining attempt caused a load of processors and overloaded most computer systems, immediately warning specialists about the problem. Ghost developers shut down all the servers, fixed the systems, and a few hours later resumed their work.
According to some experts, the attacks were most likely carried out using an automatic vulnerability scanner that detected outdated Salt servers, and then automatically exploited two vulnerabilities for installing malware.
“It is possible that the perpetrators of these attacks do not even know which companies they are currently hacking. Vulnerable Salt-servers are fixed in banks, web-hosting and Fortune 500 companies”, – said the experts.
Also, having exploited vulnerabilities in the installation of the Saltstack Salt framework, hackers gained unauthorized access to the infrastructure of the LineageOS mobile operating system, created on the basis of Android and used in smartphones, tablets and set-top boxes.
According to the LineageOS team’s notification, they discovered the hack before the attackers could do any harm.
“The source code of the operating system and its assembly, the release of which was suspended on April 30 for reasons unrelated to the hacking, was not affected. The attackers failed to gain access to the keys for signing the official versions of LineageOS, since they are stored separately from the main OS infrastructure”, – said the developers of LineageOS.
Saltstack, the developer of Salt software, has already released patches for these vulnerabilities. Currently, researchers discovered on the Internet about 6 thousand vulnerable Salt servers.
Let me remind you that recently IS researcher discovered a critical vulnerability in GitLab.
