Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack

ghost vulnerability

Hackers targeted Ghost on Sunday, in a cryptocurrency mining attack that caused widespread outages.

Hackers targeted the publishing platform Ghost over the weekend, launching a cryptojacking attack against its servers that led to widespread outages. The attack stemmed from the exploit of critical vulnerabilities in SaltStack, used in Ghost’s server management infrastructure.

Ghost is a free, open-source blogging platform with an install base of over 2 million, including big-name customers like Mozilla and DuckDuckGo. The company, which touts itself as an alternative to platforms like WordPress, Medium and Tumblr, first posted on Sunday at 3:24 BST that customers were experiencing service outages. It has since fixed the issue and systems are up and running again, as of Monday.

Upon further investigation, Ghost said that the hack stemmed from attackers exploiting two flaws, CVE-2020-11651 and CVE-2020-11652, which allow full remote code execution as root on servers in data centers and cloud environments. The two flaws specifically exist in SaltStack’s open-source Salt management framework, used by customers like Ghost as an open-source configuration tool to monitor and update the state of their servers.

“All traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network,” according to Ghost’s announcement on its status update page. “The team is now working hard on remediation to clean and rebuild our entire network. We will keep this incident open and continue to share updates until it is fully resolved. We will also be contacting all customers directly to notify them of the incident, and publishing a public post-mortem later this week.”

CVE-2020-11651 is an authentication bypass issue, while CVE-2020-11652 is a directory-traversal flaw where untrusted input (i.e. parameters in network requests) is not sanitized correctly. This in turn allows access to the entire filesystem of the master server, researchers found.

SaltStack has released patches for the flaw in release 3000.2, on April 30 – however, researchers with F-Secure, who discovered the flaw, said a preliminary scan revealed more than 6,000 potentially vulnerable Salt instances exposed to the public internet. As such, researchers warned that they expect in-the-wild attacks to be launched against the flaws imminently.

It appears that some of those vulnerable Salt instances belonged to Ghost. After exploiting the flaws, attackers were able launch a cryptocurrency mining attack, which in turn spiked CPU usage and overloaded systems. Both Ghost Pro sites and Ghost.org billing services were affected – though Ghost said that credit card data was not affected. Ghost said that a fix has been implemented and that additional firewall configurations are now running.

“At this time there is no evidence of any attempts to access any of our systems or data,” according to Ghost. “Nevertheless, all sessions, passwords and keys are being cycled and all servers are being re-provisioned.”

Alex Peay, senior vice president of Product at SaltStack, told Threatpost that “upon notification of the CVE, SaltStack took immediate action to remediate the vulnerability, develop and issue patches, and communicate to our customers about the affected versions so they can prepare their systems for update.”

“We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security,” Peay said.  “It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations.”

Threatpost has reached out to Ghost for further comment.

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles