Over the weekend, the hackers continued their work by making use of vulnerable salt deposits used in various infrastructures for server management and automation.
Among the organizations that announced the invasion were LineageOS, Vates (creator of the open Xen Orchestra), the blog platform Ghost and DigiCert. Hundreds of servers, both assistants and customers (accomplices), have probably been compromised so far.
Public error and operating code
Salt versions up to 3000.2 and 2019.2.4 are vulnerable to CVE-2020-11651 and CVE-2020-11652. More info here Outsource Support in India. Last week, F-Secure discovered two vulnerabilities that indicate that it would take less than 24 hours for an experienced hacker to develop a 100% reliable exploit.
The first allows attackers to queue messages with commands on the main public server and obtain this root key, which authenticates the local root user’s commands on the main server.
Because of this unintended exposure, an external, non-authenticated attacker can gain equal access to the Salzmaster root, F-Secure explains.
CVE-2020-11652 is a path bypass vulnerability that allows files to be read outside the intended directory. In combination with the CVE-2020-11651, an non-authenticated attacker can gain read and write access anywhere and steal the secret key to authenticate to the root of the main server.
Because the operational code is trivial to create, a cyber security company has refrained from publishing it to protect companies that are slow to correct it. However, several versions (1, 2, 3, 4) have been released in public space, which generally means that there will be more attacks.
In the two days since the attacks began, more than 120 comments have been posted on the Salt Bug page, many of which describe signs of intrusion and how to stop illegal activities on the server.
Note that it may not be enough to kill the attacker’s processes and the server may need to be reinstalled. It is recommended to install a patch immediately; Salt can be configured to receive automatic updates from the official SaltStack repository.
When this is not possible, F-Secure indicates that the network security check must be configured to restrict access to the Salt Wizard server (on standard ports 4505 and 4506). It is also recommended to block access to the public Internet.
US CERT has also warned you about the seriousness of the problem and insists on upgrading Salt ASAP to protect your cloud servers! SaltStack advises on the protection and deterrence of the salt environment.
In some cases, exploiting recent saltwater vulnerabilities is part of the Kingsing/H2Miner botnet’s crypto-mining campaign, which focuses on cloud environments. Shakhtar (XMRig) operates under the names of salt pens, salt pens bakers and salt warehouses. There are at least two samples, one of which has a low degree of detection (1, 2).
Today Intezer, a malware analysis company, confirmed on Twitter that H2Miner attacks SaltStack cases with two errors reported by F-Secure. They said it was placed on Bitbucket and it wasn’t very different from the previous models.
The attack on the main infrastructure of LineageOS, the adaptable Android operating system, took place on Saturday night and forced administrators to disable all services. In the hours that followed, the team worked on assessing and repairing the damage.
At the time of writing, only two services, statistics and construction, were still involved, although the latter has been in operation since 30 September 2001. April due to an unrelated problem, so they are not affected by hackers. The ultimate goal of this incident has still not been achieved.
Digital radio pause
Jeremy Rowley, executive vice president of products at DigiCert, said Sunday that hackers have compromised the Certificate Transparency Log 2 key used to sign the timestamps of certificates (SCT).
We’re putting the magazine in read-only mode now, Rupert said. There are no indications that the intruder used the TBS key, probably because he didn’t know he had access to it. Instead, they started running other services on the server.
Mr Rowley, however, stated that any TBS originating from this protocol after the time of the offence is suspect and that the protocol should be removed from the list of drivers. He also pointed out that hackers had access to KT 2 because it was an old infrastructure that was not running on a private network at the time of the rollout.
CT Protocol 2 was for 1. Mayday’s expected. He got an extension because some customers still needed it. His status as an heir also means that he worked separately from the other TK protocols.
Access to the TK did not affect the certificates because the protocols work in a separate environment and not in a certificate authority.
Ghost Blogging Platform
The ghost blog platform is another victim of hackers exploiting the Salt’s vulnerabilities, and their services have failed. On Sunday it reported that the infringement related to the billing services Ghost (Pro) and Ghost.org.
The investigation showed that the credit card details were not affected and that there was no direct evidence that customers’ private data, passwords or other information was being compromised.
After identifying the security problem and its impact on the phantom services, the platform reported that the target of the attack was the extraction of cryptographic material. The attempt to disassemble resulted in a processor overload and a rapid overload of most of our systems, which, according to the message, alerted us immediately to the problem.
The ghost says that he has removed all traces of the mint maker, that his systems are now stable and that no other versions have been discovered.
On Sunday evening, hackers took advantage of the Salt’s weaknesses to make another sacrifice: Xen Orchestra, a platform that provides tools for managing the Citrix hypervisor (XenServer) and enables a complete overview of the infrastructure.
The attack started after a subset of the infrastructure services became unavailable almost simultaneously. Another symptom was the high CPU usage, read the safety report for the Xen orchestra.
The aim of the invasion was to get the miner to fetch coins on virtual machines using an unauthorised salt facade method, the company stated. In deeper excavations, the researchers discovered that the charge is a version of the salt reservoir that performs quite basic tasks specific to more efficient extraction, and that it is not persistent.
These organisations are just a few examples of victims of two salt vulnerabilities published by F-Secure. The dismantling of the components seems to be the main objective of the threat actor, but more treacherous loads could have been used instead.
According to the Censys search engine for hosts and networks available on the Internet, there are currently more than 5,000 publicly accessible SaltStack servers on the Internet that are potentially vulnerable to two bugs already in use on the network. So the crushers have enough to eat unless the salt stain accelerates.