Ghost blogging platform servers hacked and infected with crypto-miner

Ghost platform got hacked via the same vulnerability that allowed hackers to breach LineageOS servers hours before.
Written by Catalin Cimpanu, Contributor
Ghost logo
Image: Ghost

A serious hacking campaign is currently underway, and tens of companies have been hacked already, ZDNet has learned from security researchers keeping an eye on the attacks.

For the past 24 hours, hackers have been mass-scanning the internet for Salt, a type of software used to manage and automate servers inside data centers, cloud server clusters, and enterprise networks.

Attackers have been exploiting two recently-patched bugs to gain access to Salt servers and then deploy a cryptocurrency miner.

LineageOS hacked. Now Ghost.

Earlier today, ZDNet reported that hackers managed to breach the servers of LineageOS, a mobile operating system.

A second major hack surfaced a few hours later after our initial report. The second victim is Ghost, a Node.js-based blogging platform, built and advertised as a simpler alternative to WordPress.

In a status page, the Ghost developer team said they detected an intrusion into their backend infrastructure systems at around 1:30am UTC.

Ghost devs said the hackers used CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal) to take control over its Salt master server.

The blogging company said that while hackers had access to the Ghost(Pro) sites and Ghost.org billing services, they didn't steal any financial information or user credentials.

Instead, Ghost said the hackers installed a cryptocurrency miner.

"The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately," Ghost developers said.

Similar to LineageOS, Ghost devs took down all servers, patched systems, and redeployed everything online after a few hours.

Ransomware gangs expected to exploit bugs in the coming days

A security researcher who requested we not use his name for this report said the attacks were most likely carried out with an automated vulnerability scanner that detected outdated Salt installs, and then automatically exploited the two bugs to install the crypto-mining malware.

"It is very possible that the threat actor behind these scans doesn't even know the type of companies they're breaching right now," the researcher told ZDNet in a Twitter chat. "We're seeing unpatched Salt servers at banks, web hosters, and Fortune 500 companies."

"Pretty soon ransomware gangs are going to start scanning for this bug, and we're gonna see mayhem, with ransomware deployed at some huge targets."

Some of these intrusions are currently being reported on a GitHub thread, with similar reports of an attacker planting a cryptocurrency miner on hacked Salt systems. Our source has identified the attacker behind most of these intrusions as the Kinsing botnet.

Saltstack, the company behind the Salt software, published patches earlier this week to address the two vulnerabilities. Companies are advised to either patch the Salt servers or secure them behind a firewall. There are currently around 6,000 Salt servers exposed on the internet.

Updated post publication to add that the Digicert certificate authority and the Xen Orchestra hosting service have also had servers breached using the same Salt vulnerability.

What's in a name? These DevOps tools come with strange backstories

Editorial standards