Playbook for attack on Salt serversBy venkat
The hackers use CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal) to take control over Salt master server
- Consider taking down the related servers to investigate the incident and patch vulnerable servers.
- Patches for the Salt vulnerabilities have been released earlier this week. Salt servers should normally be deployed behind a firewall and not left exposed on the internet.
- SaltStack engineers patched these vulnerabilities in release 3000.2 and users of Salt are encouraged to make sure that their installs are configured to automatically pull updates from SaltStacks repository server, see https://repo.saltstack.com/ for more information. A patch release for the previous major release version is also available, with version number 2019.2.4.
- Adding network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet, would also be prudent as the authentication and authorization controls provided by Salt are not currently robust enough to be exposed to hostile networks.
- Have a quick look at related incidents 
Understanding your adversary is half battle won. Details at : https://labs.f-secure.com/advisories/saltstack-authorization-bypass
- Abnormal CPU utilization or servers going down.
- The hackers could have installed a backdoor and a cryptocurrency miner on your server.
More references in news