Exploitation of SaltStack Vulnerabilities Signals Increase in Cloud Server Attacks

Written by Intezer

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Recently attackers exploited vulnerabilities in the popular SaltStack infrastructure automation software to infect cloud servers. Several organizations and open-source projects had to shut down services due to their servers being hacked.

    Saltstack is used extensively in infrastructure, network and security automation solutions, largely to maintain data centres and cloud environments. According to IT security company F-Secure, over 6,000 Salt master servers—which are popular in environments such as Amazon Web Services (AWS) and Google Cloud Platform—were directly exposed to the internet.

    Successfully exploited, these vulnerabilities allow attackers to execute code remotely with root privileges on Salt master repositories, meaning they could install backdoors into systems, carry out ransomware attacks, or take over systems to mine cryptocurrencies. It was later reported the attackers had the goal of deploying cryptocurrency mining malware on servers.

    Attackers Exploiting these Vulnerabilities

    We have observed attackers already taking advantage of these vulnerabilities (Saltstack, CVE-2020-11651, CVE-2020-11652) in the wild to produce their own malware. This H2Miner sample, for example, which uses CVE-2020-11651/2, was uploaded to Intezer Analyze by a member of the community. Despite having only two detections in VirusTotal, the threat was classified as H2Miner based on ‘genetic’ similarities to previous variants.

    One day later, we observed another H2Miner sample uploaded to the community, with two detections in VirusTotal. The crypto-miner again exploits vulnerabilities CVE-2020-11651/2.

    And today, we encountered an undetected Linux rootkit. This sample was referenced in the discovery of the SaltStack vulnerability exploited by the coinminer Kinsing botnet.

    Cyber Attacks on Cloud Servers Signal a Growing Trend

    As businesses connect their workers remotely due to COVID-19, the demand for cloud services has increased significantly. This also indicates cyber attacks targeting cloud servers are on the rise. Just last week, our researcher Paul Litvak discovered a botnet written from scratch and designed to infect Linux-based servers and Internet of Things (IoT) devices.

    According to the shared responsibility model, the cloud provider is responsible for the security of the cloud (e.g., data centers, network, and server equipment); whereas the cloud consumer is responsible for the security of the workloads running on top of the virtual resources in the cloud provider’s platform. Organizations should be aware of this in order to secure their cloud servers.

    Protect your Linux Cloud Servers against Vulnerability Exploitation and other Cyber Attacks

    Linux cloud servers are common in modern production environments. Download our TTPs matrix for Linux cloud servers to defend this infrastructure against adversary tactics spanning initial access, execution, and more.

    You can also request free access to our new Cloud Workload Protection Platform—which was recognized in the latest Gartner market guide—to defend your cloud servers in runtime against unauthorized or malicious code. See it in action here:


    Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt