Hackers install crypto mining software on Salt Framework servers

A group of hackers installed cryptographic malware on a corporate server after identifying a weakness in Salt, a popular infrastructure tool used by the likes of IBM, LinkedIn and eBay.

The attack on Salt

Ghost blogging platform said an attacker successfully infiltrated its Salt-based server infrastructure and deployed a crypto-mining virus last Sunday.

"The investigation we are conducting indicates that a critical vulnerability within our server management infrastructure was used in an attempt to extract cryptocurrency through our servers," reads an incident report.

"The mining attempt increased the CPUs and quickly overloaded most of our systems, which immediately alerted us to the problem." Ghost said developers on Monday removed mining malware from its servers and added new firewall configurations.

There are currently more than 6,000 Salt servers exposed online that can be hacked through this vulnerability if they are not changed promptly. Salt's vulnerability patches were released earlier this week. Salt servers should normally be implemented behind a firewall and not be exposed on the Internet.

Even Android in the sights of hackers

Salt is an open source framework developed by SaltStack that manages and automates key parts of corporate servers. Clients, including IBM Cloud, LinkedIn and eBay, use Salt to configure servers, forward messages from the "main server" and send commands at a specific time.

SaltStack warned customers a few weeks ago that a "critical vulnerability" had occurred in the latest version that allowed "a remote user to log in without authentication" and provided "arbitrary directory access to authenticated investors".

SaltStack also released a software update to correct the defect on April 23 last. The Android LineageOS mobile operating system claimed that hackers also had access to its main infrastructure via the same flaw, but the violation was quickly detected.

Will the hackers achieve their goal?

On Sunday, the company admitted in a report that it had not updated the Salt software. It is not known whether the same group is behind the LineageOS and Ghost attacks. Crypto mining software was installed in some attacks, while hackers installed backdoors on servers in others.

It is not clear whether the hackers extracted a certain cryptocurrency. Hacking groups generally favor monero (XMR), as it can only be extracted with CPUs for general purposes, not with dedicated mining chips and can be exchanged for low detection risk.

And you have detected any anomaly in your Android accounts or smartphones? Let us know in the comments below and give us your point of view on this matter.