If your kit is affected, don’t wait: an un patched vulnerability in Salt claims two famous victims over the weekend in the popular Google-free form LineageOS is based on Android and online Ghost publisher.
Patched last week, a vulnerability in the Salt configuration tool can allow an attacker to gain full control over an open installation. Initially discovered by F-Secure, the problem was patched in Salt 3000.2 and also in the previous stable release, 2019.2.4. Older releases require something more manual.
Systems that are not set up to automatically update from the SaltStack repo can be vulnerable, and a scan by F-Secure found more than 6,000 cases exposed to the public internet.
You might be able to put Ghost and LineageOS (or rather, the infrastructure) into a potential pork bucket.
Ghost.org, which supports various websites and claims more than 2 million installations, the first problem reported in the small hours of May 3, 3:24 BST, but later admitted that intrusion occurred around 2:30 BST, when “an attacker uses CVE in our saltstack masters to gain access to our infrastructure.”
The outfit should be praised for its transparency, if not a slightly bizarre security practice that leads to borkage.
The complete postmortem will be released this week (and Registration contact Ghost.org for more information) but the effect is very severe. Both the Ghost (Pro) site and billing service for Ghost.org were affected and the gang had to “clean and rebuild our entire network” after throwing a new firewall and security precautions when the horse disappeared on the horizon, leaving a stable door flapping in the wind.
Ghost.org insisted that no credit card information had been affected, and said it would be a cycling session, passwords and keys as well as reprovisioning all servers. It seems that the criminals released some crypto-mining software to the company network. The software quickly overloads the server, notifying administrators with CPU warnings.
At 9:29 a.m. BST today, Ghost.org estimates that all evil traces have disappeared and everything is back to normal. That said:
“All traces of the crypto mining virus were removed yesterday, all systems have remained stable, and we have not yet found any problems or further problems in our network. The team is now working hard on repairs to clean and rebuild our entire network. We will keep this incident open and continue to share updates until it’s fully resolved. “
Borkage for Lineage
Also affected was the infrastructure used by LineageOS, which experienced a blackout during the morning of May 3. The attack knocked all offline services and the team was forced to re-provide the server.
LineageOS is a free and open source OS for mobile devices, and comes from the CyanogenMod project. In early May, OS accounted for more than 1.7 million active installations.
To be clear, the attack took place at the end of LineageOS and the company quickly demonstrated that the signing key was not affected (and kept completely separate from its main infrastructure) and the building had been paused due to “unrelated problems since 30 April.”
The group then issued a tweet which added that the source code for the OS was also not affected.
LineageOS services gradually reappeared after the attack, with internal services, letters and wikis restored on Sunday. Its web-based code review system, Gerrit, returned last night, followed by the LineageOS download server and mirror this morning. ®
Practical tips for migrating tenants to Office 365 tenants