Ghost blogging platform servers hacked to mine cryptocurrency

The popular blogging platform Ghost has found itself in the crosshairs of attackers who gained access to its IT infrastructure and installed cryptocurrency-mining malware on it over the weekend. The intrusion occurred in the early hours of May 3^rd and affected Ghost(Pro) websites and the platform’s billing services, reads a statement on Ghost’s website.

On the bright side, there’s no direct evidence to corroborate that any private customer data, including passwords, credit card information, or credentials, were compromised. The company immediately introduced a set of security measures to combat the breach, such as adding extra firewalls and cycling all sessions, passwords and keys on all of the affected services.

The attempt to mine cryptocurrency led to a spike in CPU usage and to the overloading of most of Ghost’s systems, which actually rang the alarm bells. “All traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network. The team is now working hard on remediation to clean and rebuild our entire network,” said Ghost’s developer.

The investigation also found that the attackers exploited critical vulnerabilities in Ghost’s server management infrastructure. The vulnerabilities resided in Salt, infrastructure automation software also known as SaltStack, and were used to take over the Salt master server. Patches for these vulnerabilities – indexed as CVE-2020-11651 and CVE-2020-11652 – were released by the software maker in late April, but apparently weren’t applied in due course. Exploitation of the flaws allows the attacker to bypass all authentication and authorization controls and gain full remote command execution as root.

RELATED READING: Rough patch, or how to shut the window of (unpatched) opportunity

The company also added that it will continue to investigate the issue until it’s completely resolved and will be contacting all of its customers about the incident. The platform is home to blogs for the likes of Tinder, Mozilla and DuckDuckGo.

More trouble

According to a story broken by ZDNet, cybercriminals have been particularly busy exploiting the vulnerabilities in SaltServer to breach other unpatched installations, including those used for LineageOS. The distributor of this open-source operating system suffered an attack on May 2^nd and notified its users about it within three hours. Although the company didn’t go into specifics, the statement said that an attacker used a CVE to gain access to its SaltStack master. Some were quick to point out that the vulnerability had been disclosed for over a week and systems should have been patched well before the attack happened.

Reports of similar attacks were being shared on a SaltStack GitHub thread, with some adding that they detected cryptocurrency miners on their machines. According to one user in the thread, there are more than 6,000 Salt servers still exposed online that can be susceptible to the vulnerability.