Ghost, one of the leading open-source online publishing platforms for creators, came under attack on May 3 causing an outage of service. The platform currently has over 750,000 subscribers and 2 million installations.
The dev team of the popular blogging platform got to work and identified that their servers have been hacked and are being illicitly used to mine cryptocurrencies.
Ghost confirmed the cyberattack on its servers saying hackers exploited vulnerabilities present in Salt, an infrastructure tool, to acquire access to Ghost.org billing services and Ghost websites. According to the development team:
“The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately.”
Ghost, which has a decorated list of high profile customers including NASA, DuckDuckGo, and Mozilla, said that customer data, credit card information, and subscriber credentials weren't compromised. In an attempt to limit the effects of the hack, Ghost introduced firewalls and security precautions in the meantime which caused temporary network instability.
As the situation developed, Ghost's dev team announced that they are working relentlessly to restore all the services and websites as soon as possible while taking every imaginable step to ensure customer data remains safe and secure. Although the dev team didn't find any evidence that hinted towards unauthorized access to their data or systems, all keys, passwords, and sessions were cycled while servers were re-provisioned to ensure robust security.
On May 4, Ghost announced through its status page that all traces of crypto-mining hacking attempt were successfully countered and eliminated. Moreover, they said that all systems are now in stable condition and they don't have any evidence or reason to believe that there are any further network issues or concerns.
"All traces of the crypto-mining virus were successfully eliminated yesterday, all systems remain stable, and we have not discovered any further concerns or issues on our network. The team is now working hard on remediation to clean and rebuild our entire network."
Now the development team is working on remediation to tidy up and reestablish the entire network while the status report will remain open until all issues are completely resolved. All customers will be notified by Ghost about this crypto-mining attempt to keep matters transparent.
Crypto-mining, also known as crypto-jacking, is on a steady rise and Ghost isn't the first victim as Digicert and LineageOS were also targeted by the hackers. Capital One, a Virginia based financial institution, also revealed that it became a victim of crypto-mining in July that exposed data of over 100 million customers.
Given the severity of the threat, the development team of Ghost was able to do an exceptional job to identify and subdue the attack in a matter of hours.