Ghost blogging platform servers hacked and infected with crypto-miner

[silversurfer]

Content source

https://www.zdnet.com/article/ghost-blogging-platform-servers-hacked-and-infected-with-crypto-miner/

In a status page, the Ghost developer team said they detected an intrusion into their backend infrastructure systems at around 1:30am UTC.

Ghost devs said the hackers used CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal) to take control over its Salt master server.

The blogging company said that while hackers had access to the Ghost(Pro) sites and Ghost.org billing services, they didn't steal any financial information or user credentials.

Instead, Ghost said the hackers installed a cryptocurrency miner."The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately," Ghost developers said.

Ghost devs took down all servers, patched systems, and redeployed everything online after a few hours.

 

[upnorth]

"It is very possible that the threat actor behind these scans doesn't even know the type of companies they're breaching right now," the researcher told ZDNet in a Twitter chat. "We're seeing unpatched Salt servers at banks, web hosters, and Fortune 500 companies."

"Pretty soon ransomware gangs are going to start scanning for this bug, and we're gonna see mayhem, with ransomware deployed at some huge targets."