The open-source blogging platform Ghost has suffered a serious security scare, no doubt sending shivers down the spines of some of its users.
Ghost said that the attack had hit its Ghost(Pro) hosting sites and Ghost.org billing services, but that no credit card information had been impacted and that no login credentials had been stored in plaintext.
“Around 1:30AM UTC on May 3rd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.”
“There is no direct evidence that private customer data, passwords or other information has been compromised. All sessions, passwords and keys are being cycled and all servers are being re-provisioned.”
In a later update on the security breach, Ghost said that its investigations had determined that attackers had exploited a critical vulnerability in Salt, the open-source software used by data centers and cloud servers, in an attempt to mine cryptocurrency on its servers.
“The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately. At this time there is no evidence of any attempts to access any of our systems or data. Nevertheless, all sessions, passwords and keys are being cycled and all servers are being re-provisioned.”
Warnings were issued last week of critical vulnerabilities in Salt which could lead to systems being hijacked.
At the time, F-Secure’s Olle Segerdahl explained the seriousness of the threat in stark terms:
“Patch by Friday or compromised by Monday. That’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet.”
Ghost clearly wasn’t quick enough, and was hacked today – Sunday.
And it seems they’re not the only ones. For instance DigiCert and LineageOS:
Around 8PM PST on May 2nd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.
We are able to verify that:
– Signing keys are unaffected.
– Builds are unaffected.
– Source code is unaffected.
See https://t.co/85fvp6Gj2h for more info.
— LineageOS (@LineageAndroid) May 3, 2020
Whether you’re a single user, a small organisation, or a big company, if you’re running a web server you must keep it up-to-date with the latest security patches.
Update: Since this article was first published, SaltStack have been in touch with a statement from its Senior VP of Product and Marketing, Alex Peay:
“Last week a critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability only occurs if a Salt Master is exposed to the open internet. A scan by the security firm, who identified the vulnerability, identified approximately 6000 instances of exposed Salt masters. This represents a very small portion of the install base. Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability.
Upon notification of the CVE, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update. Although there was no initial evidence that the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches.
We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security. It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations.
As the primary maintainers of the Salt Open Project, trusted by the world’s largest businesses to automate digital infrastructure operations and security, we take this vulnerability and the security of our platform very seriously. More information about our response and handling of CVEs is available in our Knowledge Base: SaltStack Response Policy for CVEs.”
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.