Cyber Incident Victim: Xen Orchestra
Date:
May 2020
Location:
France
Summary
Xen Orchestra experienced a security incident involving exploitation of SaltStack vulnerabilities (CVE-2020-11651 and CVE-2020-11652), leading to unauthorized execution of a cryptocurrency mining script on several virtual machines. The attack caused service disruptions through high CPU usage and firewall deactivation, though critical systems like GPG signing keys, customer credentials (securely hashed), and payment data remained uncompromised. Analysis confirmed the payload lacked persistence and did not alter core infrastructure components. The organization mitigated the incident by rebooting affected systems, disabling SaltStack across its infrastructure, and implementing enhanced network isolation via VPNs. Forensic examination leveraging VM backups verified no data exfiltration or lasting system modifications. Ongoing monitoring and password rotations were initiated as precautionary measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On Sunday, May 3, 2020, Xen Orchestra's infrastructure experienced a security incident stemming from exploitation of SaltStack vulnerabilities CVE-2020-11651 and CVE-2020-11652. The initial attack occurred at 1:18 AM UTC when multiple virtual machines across various datacenters became unreachable, exhibiting high CPU usage as a primary symptom. Services remained disrupted until 7:30 AM UTC when staff noticed the outage and rebooted affected VMs, temporarily restoring functionality. Investigation commenced immediately, revealing that firewalls had been mysteriously disabled across systems. By 11:30 AM UTC, a recurring high CPU event on a development machine allowed live observation of a rogue Salt Minion process executing a cryptocurrency mining script. This confirmed the SaltStack vulnerabilities as the attack vector, enabling unauthorized command execution through exposed Salt Master ports.
Analysis determined the payload (identified as "V1" with MD5 hash 8ec3385e20d6d9a88bc95831783beaeb) performed four actions: disabling firewalls, terminating web server processes like NGINX and Apache, optimizing systems for mining efficiency, and executing coin mining operations. The non-persistent nature of this payload version meant effects didn't survive VM reboots. Xen Orchestra utilized VM backups to conduct filesystem comparisons across pre-attack, active-attack, and post-attack states, confirming no secondary payloads or persistence mechanisms like cron jobs were deployed. Monitoring showed no abnormal network traffic beyond disrupted web services. Critical infrastructure components remained unaffected—Xen Orchestra packages, XCP-ng RPM repositories, and GPG signing keys were unaltered, with no evidence of customer credential compromise due to secure hashing (argon2+salt) and absence of stored payment data. Response actions included permanent decommissioning of SaltStack services, system-wide password and key rotation, migration to VPN-secured private management networks, accelerated infrastructure consolidation plans, and implementation of CPU-based anomaly detection alerts. Ongoing monitoring and community collaboration with SaltStack users confirmed no residual compromise.