[BreachExchange] Search Company Algolia Hacked via Recent Salt Vulnerabilities

Mon May 11 10:17:23 EDT 2020

https://www.securityweek.com/search-company-algolia-hacked-recent-salt-vulnerabilities

A couple of Salt vulnerabilities addressed last week were abused over
the weekend to hack Algolia’s infrastructure, the search-as-a-service
startup revealed.

An open-source configuration tool designed for monitoring and updating
the state of servers deployed in datacenters and in the cloud, Salt
was recently found to be impacted by two issues that could allow
attackers to execute arbitrary commands.

Tracked as CVE-2020-11651 and CVE-2020-11652 and considered critical
(CVE-2020-11651 has a CVSS score of 10), the vulnerabilities were
patched last week. F-Secure, the security firm that discovered the
flaws, warned that they require immediate attention: “Patch by Friday
or compromised by Monday,” they said.

The vulnerability only occurs if the Salt master (the central server
to which “minions” connect) is exposed to the Internet. A week ago,
there were roughly 6,000 instances of exposed Salt masters (Salt
Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier).

Attackers wasted no time and the first assaults targeting the critical
vulnerability were launched over the weekend. LineageOS, Ghost and
DigiCert were among the first to have confirmed compromises, but were
not the only ones.

U.S. startup Algolia, which offers a web search product through a SaaS
(Search-as-a-Service) model to more than 9,000 customers, this week
revealed that it too was hit via the Salt vulnerability over the
weekend.

Abusing CVE-2020-11651, hackers managed to install both a
cryptocurrency miner and a backdoor on multiple Algolia servers. The
attack took place on May 3 and more than 500 of the company’s servers
were impacted, most of them temporarily losing indexing service, with
some also losing search capabilities.

During the incident, Algolia says, roughly 2% of its servers were
impacted by a search downtime longer than 5 minutes, and less than 1%
were impacted by a search downtime longer than 10 minutes.

The company was able to immediately shut down the configuration
manager involved in the incident, removed the malware, and then
restored files back to their original state. The last impacted server
was rebooted seven hours after the initial attack alert was triggered.

According to Algolia, analysis of the payloads executed during the
attack has revealed that the only goal of the threat actor behind the
assault was to mine cryptocurrencies, “and not to collect, alter,
destroy or damage data”.

The company says it has already taken steps to ensure similar
incidents won’t happen again, including updating the SaltStack
service, changing security keys, and restricting access keys to
specific IPs of servers, and it plans to implement additional security
measures as well.

“Clients who have followed fundamental internet security guidelines
and best practices are not affected by this vulnerability. […]
Although there was no initial evidence that the CVE had been
exploited, we have confirmed that some vulnerable, unpatched systems
have been accessed by unauthorized users since the release of the
patches,” Alex Peay, SVP of product and marketing at SaltStack, said
in an emailed statement earlier this week.

“We must reinforce how critical it is that all Salt users patch their
systems and follow the guidance we have provided outlining steps for
remediation and best practices for Salt environment security. It is
equally important to upgrade to latest versions of the platform and
register with support for future awareness of any possible issues and
remediations,” Peay also said.