An unknown threat actor recently exploited high-severity vulnerabilities in the MinIO object storage system [1] [2] [3], a popular open-source service, to gain unauthorized access to corporate networks.
Description
These vulnerabilities, known as CVE-2023-28432 and CVE-2023-28434 [3] [4], allow the attacker to execute unauthorized code and potentially take control of affected servers. They affect all versions of MinIO released before March 20, 2023, and were promptly addressed by the vendor on March 3, 2023 [4].
The attackers used social engineering tactics to convince a DevOPS engineer to install a modified version of MinIO called ‘Evil MinIO’ [4]. This version introduced a backdoor that could be accessed remotely. By exploiting CVE-2023-28432 [4], the attackers gained access to the server’s environment variables and obtained administrative credentials for the MinIO admin console [4]. They then manipulated the software update URL to deliver a malicious update leveraging CVE-2023-28434 [4]. This update included additional code that enabled the execution of remote commands on compromised servers [4].
It is important to note that the backdoor present in Evil MinIO went undetected by the Virus Total scanning platform. Security experts have expressed concerns about the significant number of MinIO instances exposed on the public internet, with 52,125 instances currently at risk. Cloud system administrators are strongly advised to promptly apply the available security update to mitigate the potential risks associated with these vulnerabilities.
The threat actor behind these attacks is proficient in bash scripts and Python and utilizes a downloader script to target both Windows and Linux environments [2]. They strategically optimize their efforts based on the value of the compromised system [1] [2].
Conclusion
The exploitation of vulnerabilities in the MinIO object storage system has serious implications for corporate networks. Promptly applying the available security update is crucial to mitigate the risks associated with these vulnerabilities. The significant number of exposed MinIO instances on the public internet highlights the need for heightened security measures. Cloud system administrators should remain vigilant and take necessary precautions to protect their systems from potential attacks.
References
[1] https://vulners.com/thn/THN:71BAEF90D3087C90E20540FAFAF3A6DE
[2] https://www.redpacketsecurity.com/hackers-exploit-minio-storage-system-vulnerabilities-to-compromise-servers/
[3] https://thehackernews.com/2023/09/hackers-exploit-minio-storage-system.html
[4] https://vulnera.com/newswire/minio-storage-system-exploited-by-hackers-to-infiltrate-corporate-networks/