Ghost, a Node.js-based blogging platform, built and advertised as a simpler alternative to WordPress was hacked and infected with crypto mining malware.
The Ghost developer team stated that they detected an intrusion into their backend infrastructure systems. The attackers have been exploiting two recently-patched bugs to gain access to Salt servers and then deploy a cryptocurrency miner.
According to the Ghost developers, the hackers used CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal) to take control over its Salt master server.
The hackers managed to access the Ghost (Pro) sites and Ghost.org billing services, but they did not steal any financial information or user credentials. Instead, they installed a cryptocurrency miner.
The mining attempt spiked CPUs and quickly overloaded most of their systems, alerting them about the issue immediately.
Ghost devs took down all servers, patched systems, and redeployed everything online after a few hours.
Saltstack, the company behind the Salt software, published patches earlier this week for the two vulnerabilities. All users are recommended to either patch the Salt servers or secure them behind a firewall. It is estimated that at present there are around 6,000 Salt servers exposed on the internet.