Cyber Incident Victim: Ghost
Date:
May 2020
Location:
United States of America
Summary
A blogging platform experienced a server breach when attackers exploited authentication bypass and directory traversal vulnerabilities in Salt management software to install a cryptocurrency miner. The intrusion triggered immediate detection due to system overload from mining activity, prompting infrastructure shutdowns, patching, and restoration. Although backend systems and billing services were compromised, no financial data or credentials were stolen. The incident was linked to widespread automated scans targeting unpatched Salt instances across various industries, leveraging recently disclosed flaws to deploy crypto-mining malware indiscriminately.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 2, 2020, attackers initiated a widespread campaign targeting servers running Salt (also known as SaltStack), a server management and automation platform. The hackers conducted mass internet scanning to identify vulnerable Salt installations, exploiting two recently disclosed vulnerabilities: CVE-2020-11651, an authentication bypass flaw, and CVE-2020-11652, a directory traversal vulnerability. These exploits enabled unauthorized access to Salt master servers, which act as central control systems for managing infrastructure. Among the confirmed victims was Ghost, a Node.js-based blogging platform positioned as an alternative to WordPress. Ghost’s security team detected the intrusion into their backend infrastructure at approximately 1:30 AM UTC on May 3, 2020, when a cryptocurrency miner deployed by the attackers caused significant CPU spikes across their systems, triggering immediate operational overloads. The compromise allowed threat actors access to Ghost(Pro) hosting environments and Ghost.org billing services, though forensic investigations confirmed no theft of financial data or user credentials occurred.
Ghost’s incident response involved taking all affected servers offline to contain the breach, applying patches to remediate the Salt vulnerabilities, and redeploying sanitized systems within hours. Security researchers monitoring the attacks characterized the campaign as highly automated, leveraging scanners to identify unpatched Salt instances indiscriminately across sectors, including financial institutions, web hosting providers, and large enterprises. The cryptocurrency miner’s rapid resource consumption served as the primary detection mechanism, preventing prolonged undetected access. SaltStack had released patches for the vulnerabilities earlier in the same week, but an estimated 6,000 internet-exposed Salt servers remained unsecured at the time of the incident. Parallel attacks compromised LineageOS, a mobile operating system developer, underscoring the campaign’s broad scope. The Ghost intrusion concluded with service restoration and no evidence of data exfiltration beyond the cryptojacking payload.