A serious hacking campaign is currently underway, and tens of companies have been hacked by mass-scanning the internet for SaltStack vulnerabilities. Salt is a type of software used to manage and automate servers inside data centers, cloud server clusters, and enterprise networks. Attackers have been exploiting two recently-patched bugs to gain access to Salt servers and then deploy a cryptocurrency miner. The hackers also managed to breach the servers of LineageOS, a mobile operating system. The second victim is Ghost, a Node.js-based blogging platform, built and advertised as a simpler alternative to WordPress. The Ghost developer team said they detected an intrusion into their backend infrastructure systems. The SaltStack vulnerability CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal) were used to take control over its Salt master server. While hackers had access to the Ghost(Pro) sites and Ghost.org billing services, they didn’t steal any financial information or user credentials.
Similar to LineageOS, Ghost devs took down all servers, patched systems, and redeployed everything online after a few hours. The attack uses an automated vulnerability scanner that detected outdated Salt installs, and then automatically exploited the two bugs to install the crypto-mining malware. Unpatched Salt servers were seen at banks, web hosters, and Fortune 500 companies. There are currently around 6,000 Salt servers exposed on the internet.
The two vulnerabilities were CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal), which, when combined, could allow attackers to bypass login procedures and run code on Salt master servers left exposed on the internet.
The vulnerabilities allow an attacker who can connect to the “request server” port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the “master” server filesystem and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it.