Hackers seize on software flaw to breach two victims, despite patch availability
Days after researchers warned of critical vulnerabilities in popular data-management software, hackers have exploited the flaws to breach two organizations that rely on the technology.
LineageOS, a free Android-based operating system, and Ghost, a nonprofit behind widely used blogging software, reported Sunday that unidentified hackers had breached their infrastructure in apparently separate incidents. The disruptions are an example of how bugs found in widely used code often end up being exploited maliciously — even when software updates are available.
Both LineageOS and Ghost rely on a tool for managing data centers and cloud-computing networks known as the Salt management framework. Cybersecurity company F-Secure reported two vulnerabilities in Salt last week which could enable attackers to execute code remotely and manipulate data. “Both of these vulnerabilities are exploitable by a remote, unauthenticated attacker,” said Rody Quinlan, a researcher at another security vendor, Tenable.
Ghost said it was rebuilding its network. Customer data wasn’t stolen, the nonprofit said, though attackers did use its infrastructure to try to generate cryptocurrency. Meanwhile, the breach forced LineageOS servers offline. At press time Monday, LineageOS still was working to bring its systems back online.
SaltStack, the company behind the software, issued fixes for the flaws, but neither LineageOS nor Ghost appear to have applied them before hackers struck.
The process of mitigating software flaws affecting a wide range of systems can be long and difficult. Earlier this year, hackers exploited a vulnerability in two products made by Citrix for weeks, both before and after fixes were available.
The reasons for not installing a security update vary by organization. Some patches require taking areas of a business offline, such as knocking out client connections, necessitating corporate cost-benefit analyses.
The vulnerabilities in SaltStack may not be as urgent as those in Citrix, but there still could be numerous organizations susceptible to the type of hack that hit LineageOS and Ghost. F-Secure reported more than “6,000 instances of this service exposed to the public internet.”
“[A]ny competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours,” F-Secure said in its advisory.