Search Company Algolia Hacked via Recent Salt Vulnerabilities

A couple of Salt vulnerabilities addressed last week were abused over the weekend to hack Algolia’s infrastructure, the search-as-a-service startup revealed.

An open-source configuration tool designed for monitoring and updating the state of servers deployed in datacenters and in the cloud, Salt was recently found to be impacted by two issues that could allow attackers to execute arbitrary commands.

Tracked as CVE-2020-11651 and CVE-2020-11652 and considered critical (CVE-2020-11651 has a CVSS score of 10), the vulnerabilities were patched last week. F-Secure, the security firm that discovered the flaws, warned that they require immediate attention: “Patch by Friday or compromised by Monday,” they said.

The vulnerability only occurs if the Salt master (the central server to which “minions” connect) is exposed to the Internet. A week ago, there were roughly 6,000 instances of exposed Salt masters (Salt Master versions 2019.2.3 and Salt 3000 versions 3000.1 and earlier).

Attackers wasted no time and the first assaults targeting the critical vulnerability were launched over the weekend. LineageOS, Ghost and DigiCert were among the first to have confirmed compromises, but were not the only ones.

U.S. startup Algolia, which offers a web search product through a SaaS (Search-as-a-Service) model to more than 9,000 customers, this week revealed that it too was hit via the Salt vulnerability over the weekend.

Abusing CVE-2020-11651, hackers managed to install both a cryptocurrency miner and a backdoor on multiple Algolia servers. The attack took place on May 3 and more than 500 of the company’s servers were impacted, most of them temporarily losing indexing service, with some also losing search capabilities.

During the incident, Algolia says, roughly 2% of its servers were impacted by a search downtime longer than 5 minutes, and less than 1% were impacted by a search downtime longer than 10 minutes.

The company was able to immediately shut down the configuration manager involved in the incident, removed the malware, and then restored files back to their original state. The last impacted server was rebooted seven hours after the initial attack alert was triggered.

According to Algolia, analysis of the payloads executed during the attack has revealed that the only goal of the threat actor behind the assault was to mine cryptocurrencies, “and not to collect, alter, destroy or damage data”.

The company says it has already taken steps to ensure similar incidents won’t happen again, including updating the SaltStack service, changing security keys, and restricting access keys to specific IPs of servers, and it plans to implement additional security measures as well.

“Clients who have followed fundamental internet security guidelines and best practices are not affected by this vulnerability. […] Although there was no initial evidence that the CVE had been exploited, we have confirmed that some vulnerable, unpatched systems have been accessed by unauthorized users since the release of the patches,” Alex Peay, SVP of product and marketing at SaltStack, said in an emailed statement earlier this week.

“We must reinforce how critical it is that all Salt users patch their systems and follow the guidance we have provided outlining steps for remediation and best practices for Salt environment security. It is equally important to upgrade to latest versions of the platform and register with support for future awareness of any possible issues and remediations,” Peay also said.

Related: Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers

Related: Critical Vulnerability in Salt Requires Immediate Patching