Hackers have been taking advantage of two recently discovered vulnerabilities in MinIO, an open-source object storage service, to gain unauthorized access to private information and potentially compromise servers. The vulnerabilities, known as CVE-2023-28432 and CVE-2023-28434, affect all versions of MinIO released before March 20, 2023.

MinIO, which is compatible with Amazon S3 and can store large amounts of unstructured data, logs, backups, and container images, is popular for its high performance and cost-effectiveness, particularly for AI/ML and data lake applications.

During an incident response engagement, analysts from Security Joes found that hackers had attempted to install a modified version of MinIO called Evil MinIO, which is available on GitHub. The attackers chained the two vulnerabilities together to replace the legitimate MinIO software with a modified version that includes a remotely accessible backdoor.

To execute this attack, the hackers used social engineering tactics to convince a DevOps engineer to downgrade to a vulnerable version of MinIO. Once the modified software was installed, the attackers utilized CVE-2023-28432 to access the server’s environment variables and obtain administrative credentials. These credentials allowed them to access the MinIO admin console and modify the software update URL to one under their control.

Through the use of CVE-2023-28434, the attackers replaced the legitimate source code file with a tampered version. The malicious update appeared identical to the legitimate MinIO application but included additional code that enabled the execution of remote commands on a compromised server.

Security Joes observed the threat actors using this backdoor to run Bash commands and download Python scripts. The backdoor operates as a built-in functionality within Evil MinIO and grants unauthorized individuals the ability to execute commands on the host running the application.

Once the object storage system is breached, the attackers establish a communication channel with a command and control (C2) server to fetch additional payloads for post-compromise activities. These include system profiling scripts, network reconnaissance scripts, Windows account creation scripts, PING scan scripts, and a China Chopper-like webshell.

Security Joes has reported that approximately 38% of the 52,125 publicly exposed MinIO instances are running a non-vulnerable version. However, it is crucial for cloud system administrators to promptly apply the available security update to protect their assets from potential attacks by Evil MinIO operators.

Definitions:

– MinIO: An open-source object storage service offering compatibility with Amazon S3 and the ability to store unstructured data, logs, backups, and container images of up to 50TB in size.

– Object storage: A type of data storage architecture that manages and manipulates data as discrete objects, typically stored in a flat address space.

– Security Joes: An organization specializing in incident response, security assessments, and red team operations.

Sources:

– Security Joes