Ghost blogging platform suffers security breach

Hackers exploited Salt vulnerability in attempt to mine cryptocurrency.

Ghost suffers security breach

The open-source blogging platform Ghost has suffered a serious security scare, no doubt sending shivers down the spines of some of its users.

Ghost said that the attack had hit its Ghost(Pro) hosting sites and Ghost.org billing services, but that no credit card information had been impacted and that no login credentials had been stored in plaintext.

Ghost statement

“Around 1:30AM UTC on May 3rd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.”

“There is no direct evidence that private customer data, passwords or other information has been compromised. All sessions, passwords and keys are being cycled and all servers are being re-provisioned.”

In a later update on the security breach, Ghost said that its investigations had determined that attackers had exploited a critical vulnerability in Salt, the open-source software used by data centers and cloud servers, in an attempt to mine cryptocurrency on its servers.

“The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately. 
At this time there is no evidence of any attempts to access any of our systems or data. Nevertheless, all sessions, passwords and keys are being cycled and all servers are being re-provisioned.”

Warnings were issued last week of critical vulnerabilities in Salt which could lead to systems being hijacked.

Sign up to our free newsletter.
Security news, advice, and tips.

At the time, F-Secure’s Olle Segerdahl explained the seriousness of the threat in stark terms:

“Patch by Friday or compromised by Monday. That’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet.”

Ghost clearly wasn’t quick enough, and was hacked today – Sunday.

And it seems they’re not the only ones. For instance DigiCert and LineageOS:

Whether you’re a single user, a small organisation, or a big company, if you’re running a web server you must keep it up-to-date with the latest security patches.

Update: Since this article was first published, SaltStack have been in touch with a statement from its Senior VP of Product and Marketing, Alex Peay:

“Last week a critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability only occurs if a Salt Master is exposed to the open internet. A scan by the security firm, who identified the vulnerability, identified approximately 6000 instances of exposed Salt masters. This represents a very small portion of the install base. Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability.

Upon notification of the CVE, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update. Although there was no initial evidence that the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches.

We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security. It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations.

As the primary maintainers of the Salt Open Project, trusted by the world’s largest businesses to automate digital infrastructure operations and security, we take this vulnerability and the security of our platform very seriously. More information about our response and handling of CVEs is available in our Knowledge Base: SaltStack Response Policy for CVEs.”


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.