Servers Running Unpatched SaltStack Software Hacked

In the first days of May 2020 hackers tried to brute-force their way into systems running Salt server management software. As reported by ZDnet, malicious actors have been using an automated scanner that trawls the Internet for servers running the SaltStack software and exploiting a couple of bugs that have since been patched in the latest releases.

According to security reports, at least a dozen companies have been affected by the large-scale attack. Those notably include LineageOS, a mobile OS, and the Ghost blogging platform. The hackers who took control of the compromised servers installed cryptocurrency mining malware on them. The two bugs exploited by the bad actors comprise an authentication bypass and a directory traversal. Those two bugs have been logged as CVE-2020-11651 and CVE-2020-11652 and allowed access to both cloud and data center servers that run Salt.

Hackers Only After Crypto-Mining, Not Theft

In a status update published by the Ghost platform team informed the public and its customers that no credit card information and credentials were stolen or affected in any way. The hackers instead installed the crypto-miner malware on the compromised servers. This led to an immediate and very obvious spike in server CPU activity and an eventual overload, which in turn quickly alerted the Ghost team to the intrusion. Ghost reacted by taking down all of its servers and patching the issue with the fix provided by the Salt team before getting everything back up.

The extent of control that hackers got over the compromised systems was significant. Bad actors received root access to the server, full access to the file systems and the ability to execute code remotely.

Fears Loom Over Ransomware Attacks On Unpatched Salt Servers

There are fears that very soon ransomware actors might step in and try to exploit the same vulnerabilities in systems that are still not updated, which may be a much bigger and more costly issue than the crypto-miner attack. ZDNet quotes an anonymous source that believes the crypto-miner attacks were carried out using the Kinsing botnet.

Security experts quoted by ZDnet believe that the bad actors used a bot that scans for older SaltStack installs and automatically triggers the vulnerabilities to gain access. Early reports by F-Secure discovered around 6,000 potentially vulnerable systems. The critical bugs in Salt that were exploited in the attack were fixed with a patch released in late April.