Hackers seize on software flaw to breach two victims, despite patch availability

LineageOS and Ghost — makers of open-source software — grappled with security incidents over the weekend.

Days after researchers warned of critical vulnerabilities in popular data-management software, hackers have exploited the flaws to breach two organizations that rely on the technology.

LineageOS, a free Android-based operating system, and Ghost, a nonprofit behind widely used blogging software, reported Sunday that unidentified hackers had breached their infrastructure in apparently separate incidents. The disruptions are an example of how bugs found in widely used code often end up being exploited maliciously — even when software updates are available.

Both LineageOS and Ghost rely on a tool for managing data centers and cloud-computing networks known as the Salt management framework. Cybersecurity company F-Secure reported two vulnerabilities in Salt last week which could enable attackers to execute code remotely and manipulate data. “Both of these vulnerabilities are exploitable by a remote, unauthenticated attacker,” said Rody Quinlan, a researcher at another security vendor, Tenable.

Ghost said it was rebuilding its network. Customer data wasn’t stolen, the nonprofit said, though attackers did use its infrastructure to try to generate cryptocurrency. Meanwhile, the breach forced LineageOS servers offline. At press time Monday, LineageOS still was working to bring its systems back online.


SaltStack, the company behind the software, issued fixes for the flaws, but neither LineageOS nor Ghost appear to have applied them before hackers struck.

The process of mitigating software flaws affecting a wide range of systems can be long and difficult. Earlier this year, hackers exploited a vulnerability in two products made by Citrix for weeks, both before and after fixes were available.

The reasons for not installing a security update vary by organization. Some patches require taking areas of a business offline, such as knocking out client connections, necessitating corporate cost-benefit analyses.

The vulnerabilities in SaltStack may not be as urgent as those in Citrix, but there still could be numerous organizations susceptible to the type of hack that hit LineageOS and Ghost. F-Secure reported more than “6,000 instances of this service exposed to the public internet.”

“[A]ny competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,” F-Secure said in its advisory.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts