Despite warnings last week about two critical CVEs in SaltStack, the Ghost blogging platform was hacked over the weekend. It’s another example of an organisation not using automatic patching and failing to apply patches immediately.
The non-profit organisation boasts there have been over 2,000,000 installs of its platform. It lists Tinder, DuckDuckGo, Mozilla and Cloudflare as customers. With that sort of customer list, it makes no sense that it was not protecting its platform.
What happened at Ghost?
In the early hours of Sunday, an attacker used a known CVE to take control of the Ghost SaltStack master. Using that master, it proceeded to deploy a crypto-mining virus across all the SaltStack minions. This caused several hours of outage on the site. It took 13 hours from the attack starting for Ghost to implement a fix and clean all traces of the virus from its system.
The company has published a timeline of events its status page.
The attacker also gained access to the infrastructure that runs the Ghost.org billing services. However, the company has confirmed that no customer credit card data was affected. It also makes clear that all account credentials are encrypted. To protect customers, it has cycled all sessions, passwords and key,
In a smart move, the company has also re-provisioned all servers. This should ensure that the attacker has left nothing behind and that all systems are clean going forward.
Enterprise Times: What does this mean
Sadly, this is another case of too little, too late. The warning from F-Secure came on Thursday last week. It warned all SaltStack customers to download and patch their systems immediately. SaltStack added fixes to their automatic updates process. It appears that Ghost hadn’t turned that on and wasn’t monitoring for any urgent issues.
Ghost is the first company to admit being caught out by this attack. It shows how quickly attackers can take a CVE and create an attack. In his initial warning Segerdahl said: “When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”
It’s a message that should be racing around the SaltStack community as administrators look to avoid being the next victim.