Tech - News
Hackers Used SaltStack Vulnerability to Breach LineageOS, Ghost, DigiCert
Days after cybersecurity researchers sounded the alarm about two crucial vulnerabilities in the SaltStack Configuration Framework, a hacking campaign has already started to exploit the weaknesses of LineageOS, Ghost, and Digicert servers.
Days after cybersecurity researchers sounded the alarm about two crucial vulnerabilities in the SaltStack Configuration System, a hacking campaign has already begun to exploit the flaws of LineageOS, Ghost, and DigiCert servers.
Tracked as CVE-2020-11651 and CVE-2020-11652, the disclosed bugs could allow an opponent to execute arbitrary code on remote servers deployed in data centers and cloud environments. The problems were resolved by SaltStack in a release released on 29 April.
"We expect that any skilled hacker will be able to make 100% accurate exploits for these issues in less than 24 hours," F-Secure researchers said in an advisory last week. LineageOS, an open-source Ios-based operating system, said it detected an intrusion on May 2nd at around 8 p.m. Pacific Time.
"About 8:00 p.m. PST on May 2nd, 2020, the attacker used CVE in our SaltStack master to gain access to our infrastructure," the company acknowledged in its incident report, but added Android builds and key signatures were not compromised by the hack.
Ghost, a blogging site based on Node.js, was also the victim of the same error. In its status report, the developers reported that "about 1:30 a.m. UTC on May 3rd, 2020, the intruder used a Vulnerability in our SaltStack master to gain access to our network" and to mount a cryptocurrency miner.
Ghost, however, reported that there was no proof that the incident resulted in a breach of consumer records, passwords and financial details.
Both LineageOS and Ghost have restored services after they have taken servers offline to repair systems and protect them behind a new firewall.
In a separate development, the Salt vulnerability has also been used to hack into the DigiCert Certificate Authority.
"We noticed today that the CT Log 2 key used to sign SCTs (signed certificate timestamps) was compromised last night at 7 p.m. through the Salt vulnerability," Product VP Jeremy Rowley of DigiCert said in a Google Groups post on Sunday.
"While we don't believe that the key was used to sign SCTs (the attacker doesn't seem to know that they had access to the keys and were running other services on the infrastructure), any SCTs received from that log after 7 p.m. MST yesterday are suspicious. The log should be removed from the trusted log list." With F-Secure's warning disclosing more than 6,000 Salt compromised servers that could be abused.
Have you got anything to say about this article? Comment below or share with us on Facebook, Twitter or our LinkedIn Group.