The cybersecurity expert Brian Krebs: The malware has undergone a rebrand. Binary is virtually identical, and employs the same "MZ-as-alternative-entrypoint" trick.
F-Secure: Cybercrime has violated Salt servers, used in cloud server clusters and corporate networks, exploiting the CVE-2020-11651 and CVE-2020-11652 vulnerabilities
Cybercrime violated Salt servers, used to manage and automate servers within data centers, cloud server clusters and corporate networks. F-Secure cyber security researchers found out. The attack mainly affected Ghost Pro sites and ghost.org billing services. Access, according to the experts, was made possible by exploiting two vulnerabilities present in SaltStack (resolved last week), identified with CVE-2020-11651 and CVE-2020-11652. The first allows an authentication bypass used to retrieve user tokens and the second, arbitrary access to the directory for authenticated users. Most likely the cyber attacks were performed through an automated vulnerability scanner, which detected obsolete Salt installations and therefore automatically exploited the two bugs to evade the login procedures and execute the code on the master servers.
Cyber Security Experts: The attackers installed backdoors on some compromised servers and in others they distributed cryptocurrency miners. More than 6,000 could be compromised
According to cyber security experts, in some cases the attackers installed backdoors on some compromised servers and in others they distributed cryptocurrency miners. Currently there are more than 6,000 Salt servers left exposed online that could be exploited by cybercrime. However, the manufacturer claimed that no user credentials or financial information was stolen. Another intrusion involved accessing LineageOS, an Android-based mobile operating system used for smartphones, tablets and set-top boxes. LineageOS developers said the hack occurred after the attacker used an unpatched vulnerability to hack Salt but the source code of the operating system was not affected. The LineageOS team has contained the impact and is taking steps to remedy vulnerable servers.