Blogging platform Ghost hacked through Salt vulnerability

Online publishing and blogging platform Ghost is back on its feet, after being hacked over the weekend through a critical vulnerability in its SaltStack server management infrastructure.

The service, which counts organisations such as Apple, DuckDuckGo, Mozilla and Nasa among its customers, was targeted through two vulnerabilities, CVE-2020-11651 and CVE-2020-11652, that were first discovered by F-Secure researchers and revealed in a co-ordinated disclosure on 30 April 2020.

The vulnerabilities, which carry a Common Vulnerability Scoring System (CVSS) rating of 10, the highest possible, enable hackers to gain remote code execution capabilities on Salt master repositories. This could allow them to install backdoors into systems, carry out ransomware attacks, or take over systems to mine cryptocurrencies.

F-Secure principal consultant Olle Segerdahl, who uncovered the vulnerabilities, warned that due to their easy-to-exploit nature, Salt users who did not patch their systems by Friday 1 May risked being compromised over the weekend, and indeed, active exploits were seen within 72 hours targeting geographically-dispersed honeypots.

In Ghost’s case, the organisation first reported a service outage affecting its Ghost(Pro) sites and Ghost.org billing services in at approximately 3:20 am BST on the morning of Sunday 3 May.

A subsequent investigation found that attackers had gained access to its system and attempted to use it to mine cryptocurrency. This caused central processing unit (CPU) spikes and overloaded Ghosts’s systems, causing the outage.

Ghost said it had been able to verify that no credit card information, credentials or other data relating to its customers had been affected.

It has now introduced multiple new firewalls and additional security precautions, which have caused some instability on its network and impacted some customers.

“All traces of the cryptomining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network,” said Ghost in a statement on its website, correct as of 9:30am on 4 May.

“The team is now working hard on remediation to clean and rebuild our entire network. We will keep this incident open and continue to share updates until it is fully resolved. We will also be contacting all customers directly to notify them of the incident and publishing a public post-mortem later this week.”

Tim Mackey, principal security strategist at Synopsys’ Cybersecurity Research Centre, said: “Datacentre patch strategies need to take into account not only the applications deployed, but also the underlying infrastructure and any firmware used within all devices powering businesses.

“In the case of this attack, the attackers were reportedly interested in running cryptomining software. Since attackers define the rules in any cyber attack, it’s important for anyone running an unpatched SaltStack instance to recognize that a different malicious team or environment might could easily result in a different type of compromise.”

Martin Jartelius, chief security officer at Outpost24, added: ”Be grateful this was abused for simple monetary gain and nothing sophisticated, which it could equally well have been.”

Separately, open source Android distribution LineageOS revealed it was also targeted by cyber criminals exploiting the Salt vulnerabilities. Its systems were taken offline at roughly the same time as Ghost’s.