Recently attackers exploited vulnerabilities in the popular SaltStack infrastructure automation software to infect cloud servers. Several organizations and open-source projects had to shut down services due to their servers being hacked.
Saltstack is used extensively in infrastructure, network and security automation solutions, largely to maintain data centres and cloud environments. According to IT security company F-Secure, over 6,000 Salt master servers—which are popular in environments such as Amazon Web Services (AWS) and Google Cloud Platform—were directly exposed to the internet.
Successfully exploited, these vulnerabilities allow attackers to execute code remotely with root privileges on Salt master repositories, meaning they could install backdoors into systems, carry out ransomware attacks, or take over systems to mine cryptocurrencies. It was later reported the attackers had the goal of deploying cryptocurrency mining malware on servers.
Attackers Exploiting these Vulnerabilities
We have observed attackers already taking advantage of these vulnerabilities (Saltstack, CVE-2020-11651, CVE-2020-11652) in the wild to produce their own malware. This H2Miner sample, for example, which uses CVE-2020-11651/2, was uploaded to Intezer Analyze by a member of the community. Despite having only two detections in VirusTotal, the threat was classified as H2Miner based on ‘genetic’ similarities to previous variants.
🆕H2Miner attacking SaltStack instances using CVE-2020-11651/2. It used to be hosted on https://t.co/R60uPrwGS3. Very similar to old instances.https://t.co/3mKbx3wEAo pic.twitter.com/G8te9BBZW4
— Intezer (@IntezerLabs) May 4, 2020
One day later, we observed another H2Miner sample uploaded to the community, with two detections in VirusTotal. The crypto-miner again exploits vulnerabilities CVE-2020-11651/2.
Another fresh sample of H2Miner, 2/60 detections in VT – 98d3fd460e56eff5182d5abe2f1cd7f042ea24105d0e25ea5ec78fedc25bac7chttps://t.co/RnWUugZ7bV https://t.co/RAwFMtwwqZ
— Intezer (@IntezerLabs) May 5, 2020
And today, we encountered an undetected Linux rootkit. This sample was referenced in the discovery of the SaltStack vulnerability exploited by the coinminer Kinsing botnet.
🆕 FUD #Linux LD-PRELOAD userland #rootkit uploaded from US and Russia, hides SSH connections via hooking fopen on /dev/net/tcp and makes itself invisible via hooking readdir
4915543d0a27d6fd68ec62ffff7da474
a3446ebfa8dacbf623b44587e9fe5c7c pic.twitter.com/V8wLi1KKf6— Intezer (@IntezerLabs) May 11, 2020
Cyber Attacks on Cloud Servers Signal a Growing Trend
As businesses connect their workers remotely due to COVID-19, the demand for cloud services has increased significantly. This also indicates cyber attacks targeting cloud servers are on the rise. Just last week, our researcher Paul Litvak discovered a botnet written from scratch and designed to infect Linux-based servers and Internet of Things (IoT) devices.
According to the shared responsibility model, the cloud provider is responsible for the security of the cloud (e.g., data centers, network, and server equipment); whereas the cloud consumer is responsible for the security of the workloads running on top of the virtual resources in the cloud provider’s platform. Organizations should be aware of this in order to secure their cloud servers.
Protect your Linux Cloud Servers against Vulnerability Exploitation and other Cyber Attacks
Linux cloud servers are common in modern production environments. Download our TTPs matrix for Linux cloud servers to defend this infrastructure against adversary tactics spanning initial access, execution, and more.
You can also request free access to our new Cloud Workload Protection Platform—which was recognized in the latest Gartner market guide—to defend your cloud servers in runtime against unauthorized or malicious code. See it in action here: