Hackers took advantage of now-resolved vulnerabilities in salt software to install crypto-mining malware on the servers of popular websites, one of which includes Ghost. This was revealed by security researchers to ZDNet on May 3.
Crypto-mining malware on Ghost server
Based on Node.js, Ghost is an open-source blogging website that advertises itself as a more convenient alternative to the leading blogging platform, WordPress. However, hackers were able to compromise the company’s servers to mine cryptocurrencies.
Ghost reportedly uses Salt software to manage it’s servers. Thus, the attackers exploited the bugs in the Salt software to access the website[s]; afterward, they installed the crypto-mining malware, which resulted in overloads in the company’s CPU.
The hackers mainly focused on cryptocurrency mining, according to a Ghost representative. They did not steal the financial details or credentials of Ghost users, and rather they only installed crypto-mining malware to mine digital currencies from their server illicitly.
Crypto malware overloaded CPUs
Ghost devs were alerted about the unauthorized activity immediately after the company’s CPU spiked, which overloaded most of they’re systems. They had to take down they’re servers and bring it back online only after the vulnerabilities have been patched, per the report.
Before the incident occurred with Ghost, hackers already coded they’re way into the servers of a popular mobile OS known as LineageOS, through the same flaws reported with the Salt software. Another attack was launched on Digicert certificate authority under the same campaign.
Saltstack patches Salt flaws
The processes of the attack are likely to be done automatically, right from the vulnerability scanning and the installation of crypto-mining malware, according to a researcher. At that time, Fortune 500 companies, including banks and other platforms using Salt software, were at risk.
To be precise, about 6,000 Salt servers were exposed; however, Saltstack, the firm behind the software, had recently released patches to resolve the reported vulnerabilities. Users have been advised to either secure they’re system with a firewall or patch the Salt servers.