MinIO Storage System Exploited by Hackers to Infiltrate Corporate Networks
September 4, 2023
Cybercriminals are taking advantage of two recent vulnerabilities in MinIO, an open-source object storage service, to infiltrate corporate networks. These vulnerabilities allow the attackers to access sensitive data, run arbitrary code, and potentially gain control over servers. MinIO is a popular choice for large-scale AI/ML and data lake applications due to its high performance and versatility.
The vulnerabilities being exploited, identified as CVE-2023-28432 and CVE-2023-28434, affect all MinIO versions before RELEASE.2023-03-20T20-16-18Z. These were disclosed and rectified by the vendor on March 3, 2023.
Security Joes incident responders found that the attackers attempted to install a modified version of the MinIO application, called 'Evil MinIO', available on GitHub. This attack involved chaining both the CVE-2023-28432 information disclosure and the CVE-2023-28434 flaws to replace the original MinIO software with modified code that introduces a remotely accessible backdoor.
The attack began with the cybercriminals using social engineering to convince a DevOPS engineer to downgrade to a previous version of the MinIO software that is affected by the two vulnerabilities. Once installed, the attackers exploited CVE-2023-28432 to remotely access the server's environment variables, including the MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD variables.
These administrative credentials allowed the hackers to access the MinIO admin console using the MinIO client. From there, the hackers could alter the software update URL to a URL under their control, allowing them to push a malicious update. This update process utilized the CVE-2023-28434 flaw to swap the legitimate .go source code file with a tampered one.
The malicious update appears identical to the legitimate MinIO app, but includes additional code that enables the execution of commands remotely on a compromised server. Security Joes analysts observed the threat actors using this backdoor to execute Bash commands and download Python scripts.
'This endpoint functions as a built-in backdoor, granting unauthorized individuals the ability to execute commands on the host running the application,' the researchers explained. They further noted that 'due to inadequate security practices, the DevOps engineer launching the application held root-level permissions.'
Security Joes has reported that the backdoor in Evil MinIO is not detected by engines on the Virus Total scanning platform, despite the tool being published a month ago. After breaching the object storage system, the attackers establish a communication channel with the command and control (C2) server to fetch additional payloads that facilitate post-compromise activity.
Security Joes warns that there are 52,125 MinIO instances exposed on the public internet, and approximately 38% of them were confirmed to run a non-vulnerable software version. Therefore, cloud system administrators are urged to promptly apply the available security update to protect their assets from Evil MinIO operators.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.