Earlier this week, we talked about two vulnerabilities discovered in the SaltStack Salt framework. Now it became known that due to these vulnerabilities, was hacked the search service Algolia.
Two critical problems at once (CVE-2020-11651 and CVE-2020-11652) as part of SaltStack Salt were discovered by F-Secure specialists, and both of them allowed arbitrary code to be executed.Currently, patches for dangerous bugs are already available, but more recently, more than 6,000 potentially vulnerable systems can be found on the network, and exploiting vulnerabilities has proven to be very simple.
Since SaltStack Salt is widely used in data centers and cloud servers, F-Secure experts warned that big problems were coming.
F-Secure doesn’t specifically disclose PoC exploits for these problems, but we warn that most likely, attackers will easily create reliable exploits on their own in the next few days, as the operation of bugs is very simple”, – warned F-Secure experts.
Unfortunately, their warnings are fully justified: with these vulnerabilities, the LineageOS infrastructure, the Ghost blogging platform, the Digicert certification center, and Xen Orchestra were already attacked.
Today it became known about an attack on the search service Algolia, which provides search services to large sites (including Twitch, Hacker News, Stripe). The company reported that the hack occurred last Sunday, May 3, 2020, and was detected almost immediately.
Having compromised Algolia’s infrastructure, hackers installed a backdoor and cryptocurrency miner on several servers, but it is reported that overall an incident did not significantly affect the company’s work. The fact is that Algolia engineers found a compromise, removed malware, disconnected vulnerable servers and restored customer service in minutes. Thus, 15 clusters of 700 (approximately 2%) did not work for about 5 minutes, and blackout of only 6 more clusters (less than 1%) lasted about 10 minutes.
By analyzing the payloads performed by this malware, we concluded that the sole purpose of this attack was to extract cryptocurrency, rather than to collect, modify, destroy or corrupt data”, – says the company’s official statement.
Apparently, for all abovementioned incidents are responsible Kinsing botnet operators. So, the ZDNet publication refers to its own sources in the information security community and writes that Kinsing operators were the first to start exploiting vulnerabilities in SaltStack Salt. They install backdoors and deploy miners on hacked servers.
Currently, the botnet is still continuing its attacks, but now other hack groups have begun to use problems in SaltStack Salt. Information security experts predict that attacks will only intensify in the next weeks, as GitHub have already published PoC exploit for the authentication bypass vulnerability (CVE-2020-11651).
