• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz threat Alert – Bank of Costa Rica Hacked by Maze Ransomware Group
May 2, 2020
Rewterz Threat Alert – Jigsaw Ransomware Resurrected in a Lokibot Phishing Campaign
May 4, 2020

Rewterz threat Advisory – SaltStack Vulnerability gets Ghost Blogging Platform Infected with Crypto-miner

May 4, 2020

Severity

High

Analysis Summary

A serious hacking campaign is currently underway, and tens of companies have been hacked by mass-scanning the internet for SaltStack vulnerabilities. Salt is a type of software used to manage and automate servers inside data centers, cloud server clusters, and enterprise networks. Attackers have been exploiting two recently-patched bugs to gain access to Salt servers and then deploy a cryptocurrency miner. The hackers also managed to breach the servers of LineageOS, a mobile operating system. The second victim is Ghost, a Node.js-based blogging platform, built and advertised as a simpler alternative to WordPress. The Ghost developer team said they detected an intrusion into their backend infrastructure systems. The SaltStack vulnerability CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal) were used to take control over its Salt master server. While hackers had access to the Ghost(Pro) sites and Ghost.org billing services, they didn’t steal any financial information or user credentials.

Similar to LineageOS, Ghost devs took down all servers, patched systems, and redeployed everything online after a few hours. The attack uses an automated vulnerability scanner that detected outdated Salt installs, and then automatically exploited the two bugs to install the crypto-mining malware. Unpatched Salt servers were seen at banks, web hosters, and Fortune 500 companies. There are currently around 6,000 Salt servers exposed on the internet.

The two vulnerabilities were CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal), which, when combined, could allow attackers to bypass login procedures and run code on Salt master servers left exposed on the internet. 

The vulnerabilities allow an attacker who can connect to the “request server” port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the “master” server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it.

Impact

  • Unauthorized Access
  • Authentication Bypass
  • Remote Code Execution
  • Power Consumption

Affected Products

SaltStack

Remediation

  • SaltStack engineers patched these vulnerabilities in release 3000.2 and users of Salt are encouraged to make sure that their installs are configured to automatically pull updates from SaltStacks repository server, see https://repo.saltstack.com/ for more information.
  • A patch release for the previous major release version is also available, with version number 2019.2.4.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.