Cryptojacking Attack on Ghost Blogging Platform

Ghost - an open-source blogging platform - faced a cryptojacking attack, resulting in a compromise of its servers. This attack was caused due to the exploitation of critical vulnerabilities in SaltStack.

The impact

The attackers did not steal any credentials or financial information; instead, they installed a cryptocurrency miner. The developers were notified of the issue since the attempt to mine cryptocurrency resulted in spiked CPU usage and system overload. 

Mitigation

The developers at Ghost announced to have completely eliminated the virus. The entire network is being cleaned and reconstructed by cycling all sessions, passwords, and keys on every affected service on the platform as a precautionary measure.

What is cryptojacking?

  • Cryptojacking or cryptomining attacks are a type of stealth attack in which attackers install miners designed to leverage the processing power of a computer to mine for cryptocurrencies, without the knowledge or consent of the owner.
  • Although Ghost detected the issue because of the system overload, in many cases, the operation goes undetected for a significant amount of time.

Some history

  • Before attacking Ghost, hackers also managed to compromise the servers of LineageOS, an Android operating system, by exploiting the same flaw in SaltStack. However, the breach was detected before any harm could be done.
  • The attackers have also exploited the SaltStack vulnerability to gain access to the Certificate Transparency logs (CT2) operated by DigiCert. Consequently, the CT2 log server was deactivated by DigiCert.

In essence

The vulnerabilities have been patched by SaltStack and users are recommended to update their systems to the latest version. It is, also, recommended that Salt users follow the remediation guidelines for securing their Salt environment.