Shortly after cybersecurity researchers raised warnings about two significant vulnerabilities in the SaltStack configuration framework, an ongoing campaign has already begun exploiting these flaws, targeting organizations such as LineageOS, Ghost, and DigiCert. The vulnerabilities, identified as CVE-2020-11651 and CVE-2020-11652, permit attackers to execute arbitrary code on remote servers operating within both data center and cloud environments. SaltStack responded to these issues with a patch released on April 29.
Experts from F-Secure had previously issued a warning, predicting that skilled hackers would likely develop effective exploits for these vulnerabilities within 24 hours of disclosure. This prediction has proven prescient, as multiple platforms have already reported incidents of exploitation.
LineageOS, the developer behind an open-source Android-based operating system, detected unauthorized access to its infrastructure on May 2 at approximately 8 PM Pacific Time. The company confirmed that the breach involved exploiting an unpatched CVE within its SaltStack master, though it reassured users that Android builds and signing keys remained secure.
The blogging platform Ghost also experienced a similar breach. According to updates provided on their status page, an attacker exploited a weakness in the SaltStack master to infiltrate their systems around 1:30 AM UTC on May 3. This intrusion culminated in the installation of a cryptocurrency miner, which significantly strained their CPU resources and triggered immediate alerts among their technical team. However, Ghost has affirmed that no customer data, passwords, or financial information were compromised during this incident.
After these breaches, both LineageOS and Ghost swiftly took their servers offline to implement necessary patches and fortified their defenses behind a new firewall.
In a parallel incident, the same vulnerabilities led to a breach at DigiCert, a prominent certificate authority. DigiCert’s VP of Product, Jeremy Rowley, announced that the compromise occurred via the Salt vulnerability, impacting their Certificate Transparency (CT) Log 2’s signing key for signed certificate timestamps. Following the discovery, DigiCert decided to deactivate the affected log server, although they noted that their other logs remained unaffected.
This incident further emphasizes the importance of promptly addressing vulnerabilities, as F-Secure has identified over 6,000 SaltStack servers susceptible to exploitation if left unpatched. Experts universally advocate for businesses to update their Salt software packages to the latest versions in order to mitigate risks associated with these critical vulnerabilities.
As businesses increasingly rely on digital infrastructure, it is imperative to remain vigilant against such threats. The MITRE ATT&CK framework underlines several relevant tactics that may have been employed in these attacks, including initial access via exploitation of software vulnerabilities and potential persistence through unauthorized access mechanisms. Organizations must evaluate their security postures and reinforce their defenses accordingly to safeguard against similar future threats.
