Hackers install crypto mining software by exploiting a defect in the popular Framework Salt server

Hackers install crypto mining software by exploiting a flaw in the popular Salt Framework server - EW71bPbU8AEvWZEA group of hackers installed cryptographic malware on a corporate server after identifying a weakness in Salt, a popular infrastructure tool used by the likes of IBM, LinkedIn and eBay.

The attack on Salt

Ghost blogging platform said an attacker successfully infiltrated his Salt-based server infrastructure and deployed a crypto-mining virus last Sunday.

"The investigation we are conducting indicates that a critical vulnerability within our server management infrastructure has been used in an attempt to extract cryptocurrency via our servers," reads an incident report.

"The mining attempt increased the CPUs and quickly overloaded most of our systems, which immediately alerted us to the problem." Ghost said developers on Monday removed mining malware from its servers and added new firewall configurations.

There are currently more than 6.000 Salt servers exposed online that can be hacked through this vulnerability if they are not changed promptly. Salt's vulnerability patches were released earlier this week. Salt servers should normally be implemented behind a firewall and not be exposed on the Internet.

Even Android in the sights of hackers

Salt is an open source framework developed by SaltStack that manages and automates key parts of corporate servers. Clients, including IBM Cloud, LinkedIn and eBay, use Salt to configure servers, forward messages from the "main server" and send commands at a specific time.

SaltStack warned customers a few weeks ago that a "critical vulnerability" had occurred in the latest version that allowed "a remote user to log in without authentication" and provided "arbitrary directory access to Investors authenticated. "

SaltStack also released a software update to correct the defect on April 23 last. The Android LineageOS mobile operating system claimed that hackers also had access to its main infrastructure via the same flaw, but the violation was quickly detected.

Will the hackers achieve their goal?

On Sunday, the company admitted that it did not update the Salt software in a report. It is not known whether the same group is behind the LineageOS and Ghost attacks. Crypto mining software was installed in some attacks, while hackers installed backdoors on servers in others.

It is not clear whether the hackers extracted a certain cryptocurrency. Hacking groups generally favor monero (XMR), as it can only be extracted with CPUs for general purposes, not with dedicated mining chips and can be exchanged for a low detection risk.

And you have detected any anomaly in your Android accounts or smartphones? Let us know in the comments below and give us your point of view on this matter.