Ghost blogging platform presents itself as “the simple alternative to WordPress.”
The popular open-source blogging platform Ghost has suffered a security breach in which unknown hacker(s) exploited critical vulnerabilities to mine cryptocurrency on the company’s server.
Developed by Ghost Foundation; the platform is based in Singapore and presents itself as “the simple alternative to WordPress.” The impact of this breach can be measured by the fact that the Ghost blogging platform is home to blogs of popular companies including Duck Duck Go, Digitial Ocean, Tinder, Revolut, Mozilla, Airtable, Code Cademy, Cloudflare, OkCupid, Bitpay and TransferWise, etc.
It started on May 3, 03:24 BST when the company updated its Status checker page revealing that the platform is suffering a service outage. At 10:15 BST the same day, the company announced that an attacker exploited two vulnerabilities in the server management infrastructure powered by Saltstack software to gain access to Ghost’s infrastructure.
The attack affected both Ghost (Pro) sites and Ghost.org billing services, the company wrote on its Status Check page. Furthermore, the company maintains that so far there is no evidence that personal data of its customers, passwords, or credit card information was compromised.
While detailing the attack, the Ghost platform stated that the hacker(s) exploited two vulnerabilities CVE-2020-11651 and CVE-2020-11652 to mine cryptocurrency on its servers.
The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately, the company said.
For your information, CVE-2020-11651 was discovered in some versions of SaltStack software allowing hackers to carry out remote attacks without any security authentication. The vulnerability could also be used to retrieve user tokens from the salt-master and/or run arbitrary commands on salt minions.
Bonus: Best legal & free online streaming sites for movies & TV shows 2020 (no signup or payment card required)
On the other hand, CVE-2020-11652 allowed access to some methods that improperly sanitize paths. These methods allowed arbitrary directory access to authenticated users.
Unfortunately some sites on Ghost(Pro) are currently having problems due a critical security vulnerability which is affecting many services around the world today.
We're working as quickly as we can to resolve it, and sharing updates here:https://t.co/0rnXw9Ux6d
— Ghost (@Ghost) May 3, 2020
Nevertheless, Ghost has now implemented new security measures including firewalls. As a result, its servers have been restored. However, according to the security advisory, StalkStack plans to address the vulnerabilities in its Sodium release set for mid-June 2020.