It has been reported that Popular open-source blogging platform with more than 2 million installs confirms it has been hacked. Although most people tend to immediately think of WordPress when asked to name a blogging platform, it certainly isn’t the only player in town. The self-proclaimed “world’s most popular modern open-source publishing platform,” Ghost, includes big-name customers such as Mozilla, NASA, and DuckDuckGo among its 750,000 registered users, according to its website. In the last week alone, Ghost users, including writers, podcasters, and video creators, set up 6,920 new publications. It was also hacked yesterday, May 3.
It should be noted that whilst WordPress is a content manager just as Ghost, in this case neither content management system has been subject to a vulnerability, instead it is the infrastructure used by the organization behind the Ghost content manager. As the indicator of compromise were not the execution of the attack itself, but the symptoms when attackers opportunistically used the platform to mine crypto currency instead of abusing their access for other gain. Just as we perceive crypto-lockers to be a very common threat because it is loud and visible, much similar to those attacks are visual and easy to detect, just as this one. Let’s all keep patching and be grateful this was abused for simple monetary gain and nothing sophisticated which it could equally well have been.
Data centre patch strategies need to take into account not only the applications deployed, but also the underlying infrastructure and any firmware used within all devices powering businesses. In this case, the attackers used two vulnerabilities within the SaltStack infrastructure management software used by Ghost. This attack has two key elements to it. First, attackers are actively seeking unpatched SaltStack instances vulnerable to CVE-2020-11651 and CVE-2020-11652. When combined, these two vulnerabilities enable attackers to access SaltStack master methods without authentication, including retrieval of user tokens, and then allow arbitrary access to authenticated users. Second, this attack chain spans Ghost and its customer based to potentially include any organisation running SaltStack. In the case of this attack, the attackers were reportedly interested in running crypto-mining software. Since attackers define the rules in any cyberattack, it’s important for anyone running an unpatched SaltStack instance to recognize that a different malicious team or environment might could easily result in a different type of compromise.