Devs at Blogging Platform Ghost Take Down Crypto-Mining Malware Attack

Published at: May 4, 2020

Developers at blogging platform Ghost have spent the past 24 hours fighting a crypto mining malware attack.

Announced in a status update on May 3, the devs revealed that the attack occurred around 1:30 a.m. UTC. Within four hours, they had successfully implemented a fix and now continue to monitor the results.

No sensitive user data compromised

Yesterday’s incident was reportedly carried out when an attacker targeted Ghost’s “Salt” server backend infrastructure, using an authentication bypass (CVE-2020-11651) and directory traversal (CVE-2020-11652) to gain control of the master server. 

The Ghost devs have said that no user credit card information has been affected and reassured the public that no credentials are stored in plaintext. They were alerted to the incident as the hackers attempted to mine cryptocurrency using the platform servers:

“The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately.”

In an update posted within the last hour, the Ghost team announced that all traces of the crypto-mining virus have now been completely eliminated. They continue to “clean and rebuild” the entire network, and are apparently cycling all sessions, passwords and keys on every affected service on the platform as a precautionary measure.

A SaltStack representative told Cointelegraph: 

 

“Last week a critical vulnerability was discovered in Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier. The vulnerability only occurs if a Salt Master is exposed to the open internet.”

The representative noted that 6,000 instances of exposed Salt masters had been identified, which “represents a very small portion of the install base.” While Saltstack swiftly issued patches and notified its users, it confirmed that “some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches.” 

In light of this, Saltstack underscored that it is critical all Salt users patch their systems and follow its guidance to protect themselves.

A post-mortem of the incident will also be published by Ghost later this week.

Crypto-mining malware — a.k.a. cryptojacking

As Cointelegraph has previously reported, crypto-mining malware — sometimes referred to as “cryptojacking” — has been increasingly rife in recent years.

These stealth attacks attempt to install malware that uses a target computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. As with Ghost, the load on the CPU of the hardware can be a telltale sign, although many attacks have previously continued to operate for significant stretches of time without detection.

Last month, international hacker and cybersecurity expert group Guardicore Labs revealed that as many as 50,000 servers worldwide had been infected with an advanced cryptojacking malware that mined a privacy-focused altcoin, Turtlecoin (TRTL).

The privacy-centric coin Monero (XMR) has been particularly prevalent in cryptojacking campaigns, with researchers reporting back in mid-2018 that around 5% of the altcoin in circulation had been created through stealth mining.

Tags
Technology
Mining
Crimes
Malware
Cryptojacking
Related Posts
‘Invisible God’ Amassed Millions Selling Corporate Data
A new report shows that a Kazakhstani hacker built a million dollar fortune by breaching private networks and selling their data. Researchers at threat intelligence company, Group-IB, said that the hacker, who operates under the pseudonym “Fxmsp,” began promoting their services across darknet. They posted data for sale on hacking-related forums, offering valuable resources stolen from private corporate networks. Some customers have taken to calling the hacker “The invisible god of networks.” Millionaire profits for Fxmsp According to the report, the magnitude of Fxmsp’s cybercriminal business is enormous. They reportedly accumulated $1.5 million in profits over three years by targeting …
Technology / June 24, 2020
BlackBerry Partners With Intel to Launch a Cryptojacking Detection System
Software company and former smartphone manufacturer, BlackBerry, has partnered with Intel to launch a crypto mining and cryptojacking detection system for Intel-based commercial computers. According to the announcement, BlackBerry released “BlackBerry Optics v2.5.1100”, which relies on the BlackBerry Optics Context Analysis Engine, or CAE, to leverage CPU telemetry from Intel Threat Detection Technology to provide enterprises with advanced malware software. This software’s main purpose is to detect cryptojacking attempts. On how the system works, representatives from BlackBerry sent the following comment to Cointelegraph: “BlackBerry and Intel have teamed up to provide a robust defense against cryptojackers in a way unique …
Technology / June 17, 2020
Researchers Detect Ambitious Bitcoin Mining Malware Campaign Targeting 1,000s Daily
Cybersecurity researchers have identified a persistent and ambitious campaign that targets thousands of Docker servers daily with a Bitcoin (BTC) miner. In a report published on April 3, Aqua Security issued a threat alert over the attack, which has ostensibly “been going on for months, with thousands of attempts taking place nearly on a daily basis.” The researchers warn: “These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.” Such scope and ambition indicate that the illicit Bitcoin mining campaign is unlikely to be “an improvised endeavor,” as the actors behind it …
Technology / April 6, 2020
Monero Cryptojacking Malware Targets Higher Education
According to a study published by Guardicore Labs, a malware botnet known as FritzFrog has been deployed to ten millions of IP addresses. The malware has largely targeted governmental offices, educational institutions, medical centers, banks, and telecommunication companies, installing a Monero (XMR) mining app known as XMRig. Guardicore Labs explains that FritzFrog uses a brute-force attack on millions of addresses to gain access to servers. That’s where an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. After it gets in it proceeds to run a separate process named “libexec” to execute XMRig. “It has successfully …
Technology / Aug. 20, 2020
Ukrainian Man Faces up to 6 Years in Jail for Cryptojacking on His Own Websites
Ukraine’s Cyber Police have arrested a man who allegedly placed crypto mining malware scripts on his own websites, local law enforcement reported on March 26. The cyber crime unit of the national police of Ukraine arrested a 32-year-old man from the Bukovina region who allegedly placed cryptojacking software on a number of educational websites that he created and administered. The unspecified websites and internet resources had 1.5 million monthly visitors, the police reported. The police also stated that the installed malware on the websites was deploying visitors’ devices’ CPU and GPU power to illegally mine cryptocurrencies. The authority has conducted …
Bitcoin / March 27, 2019