Developers at blogging platform Ghost have spent the past 24 hours fighting a crypto mining malware attack.
Announced in a status update on May 3, the devs revealed that the attack occurred around 1:30 a.m. UTC. Within four hours, they had successfully implemented a fix and now continue to monitor the results.
No sensitive user data compromised
Yesterday’s incident was reportedly carried out when an attacker targeted Ghost’s “Salt” server backend infrastructure, using an authentication bypass (CVE-2020-11651) and directory traversal (CVE-2020-11652) to gain control of the master server.
The Ghost devs have said that no user credit card information has been affected and reassured the public that no credentials are stored in plaintext. They were alerted to the incident as the hackers attempted to mine cryptocurrency using the platform servers:
“The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately.”
In an update posted within the last hour, the Ghost team announced that all traces of the crypto-mining virus have now been completely eliminated. They continue to “clean and rebuild” the entire network, and are apparently cycling all sessions, passwords and keys on every affected service on the platform as a precautionary measure.
A SaltStack representative told:
“Last week a critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability only occurs if a Salt Master is exposed to the open internet.”
The representative noted that 6,000 instances of exposed Salt masters had been identified, which “represents a very small portion of the install base.” While Saltstack swiftly issued patches and notified its users, it confirmed that “some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches.”
In light of this, Saltstack underscored that it is critical all Salt users patch their systems and follow its guidance to protect themselves.
A post-mortem of the incident will also be published by Ghost later this week.
Crypto-mining malware — a.k.a. cryptojacking
Crypto-mining malware — sometimes referred to as “cryptojacking” — has been increasingly rife in recent years.
These stealth attacks attempt to install malware that uses a target computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. As with Ghost, the load on the CPU of the hardware can be a telltale sign, although many attacks have previously continued to operate for significant stretches of time without detection.
Last month, international hacker and cybersecurity expert group Guardicore Labs revealed that as many as 50,000 servers worldwide had been infected with an advanced cryptojacking malware that mined a privacy-focused altcoin, Turtlecoin (TRTL).
The privacy-centric coin Monero (XMR) has been particularly prevalent in cryptojacking campaigns, with researchers reporting back in mid-2018 that around 5% of the altcoin in circulation had been created through stealth mining.