Ghost didn't patch its SaltStack and got hacked (Image Credit: OpenClipart-Vectors from Pixabay )Despite warnings last week about two critical CVEs in SaltStack, the Ghost blogging platform was hacked over the weekend. It’s another example of an organisation not using automatic patching and failing to apply patches immediately.

The non-profit organisation boasts there have been over 2,000,000 installs of its platform. It lists Tinder, DuckDuckGo, Mozilla and Cloudflare as customers. With that sort of customer list, it makes no sense that it was not protecting its platform.

F-Secure warned last week about the risks of not patching when F-Secure Principal Consultant Olle Segerdahl warned: “Patch by Friday or compromised by Monday.” 

What happened at Ghost?

In the early hours of Sunday, an attacker used a known CVE to take control of the Ghost SaltStack master. Using that master, it proceeded to deploy a crypto-mining virus across all the SaltStack minions. This caused several hours of outage on the site. It took 13 hours from the attack starting for Ghost to implement a fix and clean all traces of the virus from its system.

The company has published a timeline of events its status page.

The attacker also gained access to the infrastructure that runs the billing services. However, the company has confirmed that no customer credit card data was affected. It also makes clear that all account credentials are encrypted. To protect customers, it has cycled all sessions, passwords and key,

In a smart move, the company has also re-provisioned all servers. This should ensure that the attacker has left nothing behind and that all systems are clean going forward.

Enterprise Times: What does this mean

Sadly, this is another case of too little, too late. The warning from F-Secure came on Thursday last week. It warned all SaltStack customers to download and patch their systems immediately. SaltStack added fixes to their automatic updates process. It appears that Ghost hadn’t turned that on and wasn’t monitoring for any urgent issues.

Olle Segerdahl, Principal Consultant, F-Secure (Image Credit: LinkedIn)
Olle Segerdahl, Principal Consultant, F-Secure

Ghost is the first company to admit being caught out by this attack. It shows how quickly attackers can take a CVE and create an attack. In his initial warning Segerdahl said: “When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”

It’s a message that should be racing around the SaltStack community as administrators look to avoid being the next victim.


  1. Yeah, it would be great to publish such deep details of vulnerabilities MORE than 24 hours after patched software is available. “The ClearFuncs class processes unauthenticated requests and unintentionally exposes the _send_pub() method, which can be used to queue messages directly on the master publish server.”. There is a key to the kingdom handed on a silver platter right there.

    Nearly no one patched in time.


Please enter your comment!
Please enter your name here