Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Search Company Algolia Hacked via Recent Salt Vulnerabilities

A couple of Salt vulnerabilities addressed last week were abused over the weekend to hack Algolia’s infrastructure, the search-as-a-service startup revealed.

A couple of Salt vulnerabilities addressed last week were abused over the weekend to hack Algolia’s infrastructure, the search-as-a-service startup revealed.

An open-source configuration tool designed for monitoring and updating the state of servers deployed in datacenters and in the cloud, Salt was recently found to be impacted by two issues that could allow attackers to execute arbitrary commands.

Tracked as CVE-2020-11651 and CVE-2020-11652 and considered critical (CVE-2020-11651 has a CVSS score of 10), the vulnerabilities were patched last week. F-Secure, the security firm that discovered the flaws, warned that they require immediate attention: “Patch by Friday or compromised by Monday,” they said.

The vulnerability only occurs if the Salt master (the central server to which “minions” connect) is exposed to the Internet. A week ago, there were roughly 6,000 instances of exposed Salt masters (Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier).

Attackers wasted no time and the first assaults targeting the critical vulnerability were launched over the weekend. LineageOS, Ghost and DigiCert were among the first to have confirmed compromises, but were not the only ones.

U.S. startup Algolia, which offers a web search product through a SaaS (Search-as-a-Service) model to more than 9,000 customers, this week revealed that it too was hit via the Salt vulnerability over the weekend.

Abusing CVE-2020-11651, hackers managed to install both a cryptocurrency miner and a backdoor on multiple Algolia servers. The attack took place on May 3 and more than 500 of the company’s servers were impacted, most of them temporarily losing indexing service, with some also losing search capabilities.

During the incident, Algolia says, roughly 2% of its servers were impacted by a search downtime longer than 5 minutes, and less than 1% were impacted by a search downtime longer than 10 minutes.

Advertisement. Scroll to continue reading.

The company was able to immediately shut down the configuration manager involved in the incident, removed the malware, and then restored files back to their original state. The last impacted server was rebooted seven hours after the initial attack alert was triggered.

According to Algolia, analysis of the payloads executed during the attack has revealed that the only goal of the threat actor behind the assault was to mine cryptocurrencies, “and not to collect, alter, destroy or damage data”.

The company says it has already taken steps to ensure similar incidents won’t happen again, including updating the SaltStack service, changing security keys, and restricting access keys to specific IPs of servers, and it plans to implement additional security measures as well.

“Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability. […] Although there was no initial evidence that the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches,” Alex Peay, SVP of product and marketing at SaltStack, said in an emailed statement earlier this week.

“We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security. It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations,” Peay also said.

Related: Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

Related: Critical Vulnerability in Salt Requires Immediate Patching

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.