On April 30th, F-Secure researchers released an advisory on two vulnerabilities (CVE-2020-11651 and CVE-2020-11652), which allowed attackers to gain full remote command execution as root on all SaltStack endpoints. SaltStack is a popular open-source Python based framework that allows for easy task automation, data collection, configuration, and updates through the use of a master server which can create tasks and minion servers that execute the tasks. The vulnerabilities described allow attackers who connect to the port that the minion servers use to request data, and then bypass all authentication and authorization controls, essentially giving them full control over the “master” server.
Shortly after the vulnerabilities were announced, reports began arriving of high-profile companies receiving attacks leveraging this vulnerability. Companies reporting attacks included the blogging platform Ghost, and LineageOS Project, which maintains a popular community of Android firmware. Both Ghost and LineageOS reportedly had to take down servers because cryptomining malware installed by attackers used all available CPU resources. Additionally, DigiCert reported that a certificate transparency log server (used by certificate authorities to publicly announce the certificates they issue) was affected, giving actors access to the keys used to sign Signed Certificate Timestamps (SCTs). With this power, the attackers deployed cryptomining malware to DigiCert’s servers and didn’t use the keys for much else.