Hackers leverage Saltbox flaw to breach LineageOS, Ghost and DigiCert servers

It took only days for hackers to latch onto these known vulnerabilities

Just days after cyber security researchers brought attention to two critical vulnerabilities in the SaltStack configuration framework, hackers have exploited the flaws to breach the servers of LineageOS, Ghost and DigiCert.

Dubbed CVE-2020-11651 and CVE-2020-11652, the previously disclosed flaws may allow a hacker to execute arbitrary code on remote servers deployed in data centers and cloud environments.

Researchers previously warned that any competent hacker could create 100% reliable exploits related to the issues in 24 hours or less. Since then, LineageOS detected an intrusion that occurred on May 2, 2020.

"Around 8 pm PST on May 2nd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure," the company shared in its incident report. The company added the breach didn’t impact Android builds and signing keys.

Ghost also fell victim to the Saltbox vulnerability. Developers noted that "around 1:30 am UTC on May 3rd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure" and install a cryptocurrency miner. According to the developers, the mining attempt spiked CPUs, which quickly overloaded Ghost’s systems, alerting them of the attack immediately.

LineageOS and Ghost have since patched the impacted systems and restored services. 

The Salt vulnerability was also used to hack into DigiCert certificate authority. DigiCert's VP of product, Jeremy Rowley, shared in a Google Groups post on Sunday, "We discovered today that CT Log 2's key used to sign SCTs (signed certificate timestamps) was compromised last night at 7 pm via the Salt vulnerability." 

Rowley added, "Although we don't think the key was used to sign SCTs (the attacker doesn't seem to realize that they gained access to the keys and were running other services on the infrastructure), any SCTs provided from that log after 7 pm MST yesterday are suspect. The log should be pulled from the trusted log list." 

While the issues were fixed by SaltStack in a release published on April 29, 2020, it’d be wise for businesses to update Salt software packages to the latest version to resolve these flaws and avoid any and all nefarious hacking attempts.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
BEC scammers are using Google Forms to identify easy victims
phishing

BEC scammers are using Google Forms to identify easy victims

21 Jan 2021
FBI warns of ongoing corporate vishing attacks
phishing

FBI warns of ongoing corporate vishing attacks

19 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021