Cyber Incident Victim: DigiCert
Date:
May 2020
Location:
United States of America
Summary
Hackers exploited critical Salt vulnerabilities (CVE-2020-11651 and CVE-2020-11652) in widespread attacks, compromising multiple organizations including DigiCert. The certificate authority experienced unauthorized access to its Certificate Transparency Log 2 signing key, though no evidence indicated malicious use of the key; the log was shifted to read-only mode as a precaution, with certificate operations remaining unaffected due to environmental separation. Other impacted entities faced service disruptions, cryptocurrency mining infections, and infrastructure compromises, with attackers leveraging root-level access from unpatched Salt masters to execute commands and deploy malware across vulnerable servers. The incident highlighted systemic risks across thousands of exposed systems vulnerable to these remote code execution flaws.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2020, widespread exploitation of critical vulnerabilities (CVE-2020-11651 and CVE-2020-11652) in SaltStack's infrastructure management software impacted multiple organizations, including DigiCert. The vulnerabilities, disclosed by F-Secure, allowed unauthenticated attackers to execute remote commands with root-level privileges on Salt master servers and traverse directories to access sensitive files. Attackers rapidly weaponized these flaws after public disclosure, with proof-of-concept exploits circulating within days. Salt versions prior to 3000.2 and 2019.2.4 were confirmed vulnerable, exposing thousands of internet-facing servers. Initial attacks commenced around May 2, 2020, targeting both master servers and client minions across diverse sectors. The US CERT urgently advised organizations to patch systems, while SaltStack provided hardening guidance. By May 4, over 5,000 servers remained exposed, with attackers deploying cryptocurrency miners like Kinsing/H2Miner and compromising critical infrastructure components.
DigiCert confirmed intrusion via these Salt vulnerabilities, with attackers compromising the Certificate Transparency Log 2 signing key used for certificate timestamp (SCT) operations. Jeremy Rowley, DigiCert's Executive Vice President of Product, stated the company responded by transitioning the log to read-only mode to prevent misuse. Forensic analysis found no evidence of attackers leveraging the stolen key to manipulate SCTs, potentially due to lack of awareness about their access. The breach was isolated to the transparency log environment, which operates separately from DigiCert's core Certificate Authority systems, preventing compromise of issued certificates. Concurrently, other organizations including LineageOS, Ghost, and Xen Orchestra experienced service disruptions from Salt exploits, with attackers deploying coin miners and forcing infrastructure takedowns. LineageOS took all services offline for assessment, while Ghost restored systems after removing miner payloads. Xen Orchestra detected attacks through sudden service unavailability and abnormal CPU spikes. All affected entities initiated containment through patching, system restoration, and access restriction to Salt master ports (4505/4506).