Unknown threat actors have been seen using MinIO’s high-performance object storage system’s high-severity security holes as weapons to execute unauthorized code on vulnerable systems.
Security Joes, a company that specializes in cybersecurity and crisis response, claimed that the attack used a publicly accessible exploit chain to backdoor the MinIO instance.
the first of which was posted to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of Known Exploited Vulnerabilities (KEV) on April 21, 2023, consists of CVE-2023-28432 (CVSS score: 7.5) and CVE-2023-28434 (CVSS score: 8.8).
The two flaws “possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational,” according to a report shared with The Hacker News by Security Joes.
According to the company’s investigation, the adversary leveraged the holes in the attack chain to gain admin credentials and utilize the foothold to replace the host’s MinIO client with a trojanized version by invoking an update command with a MIRROR_URL.
The MinIO documentation states that “The mc admin update command updates all MinIO servers in the deployment.” The command also allows for the use of a private mirror server in situations where there is no public internet access available for the deployment.
According to Security Joes, “the culmination of these actions permits the attacker to orchestrate a deceptive update.” “The attacker seals the compromise of the system by replacing the genuine MinIO binary with its ‘evil’ counterpart.”
The malicious changes made to the program expose an endpoint that serves as a backdoor by receiving and executing commands sent via HTTP requests. The system permissions of the user who started the application are passed on to the commands.
It’s important to note that the modified binary is a copy of the Evil MinIO exploit, which was released on GitHub in early April 2023. However, there is no proof to support a link between the two.
It is clear that the threat actor is skilled at using Python and bash scripts, in addition to using the backdoor access to deliver additional payloads from a remote server for post-exploitation via a downloader script.
The script serves as a gateway to profile the infected hosts and assess whether or not the execution needs to be stopped. It is capable of attacking both Windows and Linux environments.
The threat actor’s strategic approach to optimize their efforts based on the perceived value of the compromised system is highlighted by this dynamic approach, according to Security Joes.