The search service Algolia reported a hack during which attackers exploited a vulnerability in the software for setting up Salt servers and gained access to the service infrastructure. The criminals installed a backdoor and cryptocurrency miner on several servers, but their actions did not have a significant impact on the company’s work.
The intrusion was detected immediately after the experts received server notifications about the disconnection of the search and indexing functions for a number of clients. The experts removed the malware, disconnected the vulnerable servers and quickly restored customer service, for most of which the downtime lasted no more than 10 minutes. According to experts, the sole purpose of the attack was cryptocurrency mining, and not the collection, modification, destruction or corruption of data.
According to Algolia, the hacking occurred on Sunday, May 3. The attack time coincides with other hacks reported by LineageOS , Ghost , Digicert, Xen Orchestra and other small companies. Algolia was allegedly attacked by the Kinsing botnet operators behind all of the above incidents.
Kinsing operators were the first to exploit the Authentication Bypass ( CVE-2020-11651 ) and Directory Bypass ( CVE-2020-11652 ) vulnerabilities in Salt to take control of the core servers. Presumably, the number of attacks will increase in the near future, as the PoC code for the authentication bypass vulnerability (CVE-2020-11651) was published on GitHub by several users.
Saltstack, the developer of Salt software, has already released patches for these vulnerabilities. Currently, about 6 thousand vulnerable Salt servers have been discovered on the Internet.