Blogging platform Ghost had a rough 24 hours as a hacking group exploited a vulnerability in their Salt-based server to plant a crypto mining malware.
According to the platform’s status page, the attack was noticed on 3 May, around 1:30 a.m. UTC, when their development team started “investigating the cause of an outage”. The team was not only able to identify the issue within hours, but also remove the mining malware from Ghost’s servers, and added new firewall configurations.
The incident report reads:
“Our investigation indicates that a critical vulnerability in our server management infrastructure (Saltstack, CVE-2020-11651 CVE-2020-11652) was used in an attempt to mine cryptocurrency on our servers. The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately.”
The blogging platform was also quick in reassuring its users that no credit card information was stolen, and that they do not store credentials in plain text. With all traces of the crypto-mining virus gone, the team is now working hard on cleaning and rebuilding the entire network, and is also cycling all sessions, passwords and keys as a precautionary measure. The firm has also said it will publish a post-mortem of the incident later this week.
Developed by SaltStack, Salt is an open-source framework which manages and automates parts of a company’s servers. The company actually warned its clients a couple of weeks back that there was a “critical vulnerability” in their latest version of Salt, which could allow a “remote user to access some methods without authentication”. On 23 April the company also released a software update which fixed the flaw.
Crypto-mining malware attacks are actually more common than people believe them to be. According to a report from cybersecurity expert group Guardicore Labs, published last year, over 50,000 company servers worldwide had been infected with a malware, which had the servers mine a privacy-focused cryptocurrency called Turtlecoin (TRTL).