A group of hackers installed crypto mining malware on a corporate server due to a weak point in Salt, a popular infrastructure tool used by IBM, LinkedIn and eBay.
Blogging platform Ghost said on Sunday that an attacker successfully infiltrated its Salt-based server infrastructure and implemented a crypto-mining virus.
“Our investigation indicates that a critical vulnerability in our server management infrastructure … was used in an attempt to mine cryptocurrency on our servers,” reads a report on the incident. “The mining attempt increased CPUs and overloaded most of our systems quickly, which immediately alerted us to the problem.”
Ghost said on Monday that the developers removed the mining malware from its servers and added entirely new firewall configurations.
Salt is an open source framework, developed by SaltStack, which manages and automates key parts of corporate servers. Customers, including IBM Cloud, LinkedIn, and eBay, use Salt to configure servers, relay messages from the “master server” and issue commands at a specific time schedule.
SaltStack warned customers a few weeks ago that there was a “critical vulnerability” in the latest version of Salt that allowed a “remote user to access some methods without authentication” and gave “arbitrary directory access to authenticated users”.
SaltStack also released a software update that fixes the problem on April 23rd.
The LineageOS Android mobile operating system said hackers had it too had access to its core infrastructure via the same defect, but the breach was detected quickly. In a report on Sunday, the company admitted that it hadn’t updated the Salt software.
It is unknown whether the same group is behind the LineageOS and Ghost attacks. Some attacks have implanted crypto mining software, while others have implanted backdoors into servers.
It is unclear whether the hackers mined a particular cryptocurrency. Hacking groups have generally favored monero (XMR), as it can only be mined with general purpose CPUs, not dedicated mining chips, and can be traded with little detection risk.
CoinDesk has reached out to SaltStack for comment, but has not received a response at press time.