A concerning cybersecurity incident has emerged involving a previously unidentified threat actor exploiting critical vulnerabilities in the MinIO object storage platform. This series of attacks enables unauthorized code execution on affected servers, prompting alarm among cybersecurity professionals.
According to Security Joes, a cybersecurity and incident response firm, the attackers utilized a publicly known exploit chain to compromise the MinIO instances. Specifically, they took advantage of vulnerabilities identified as CVE-2023-28432 and CVE-2023-28434, which have been assigned CVSS scores of 7.5 and 8.8, respectively. Notably, the first of these vulnerabilities was included in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list on April 21, 2023.
Security Joes emphasizes the serious implications of these vulnerabilities, stating they could expose sensitive data from the compromised installations. Moreover, they facilitate remote code execution on the servers running MinIO applications. The attack chain exhibited by the researchers revealed how the vulnerabilities were weaponized to gain administrative credentials, which were then leveraged to install a malicious trojanized version of the MinIO client on the impacted host.
The MinIO documentation points out that the command used by the attackers, “mc admin update,” is designed to update all servers within a MinIO deployment, with support for sourcing updates from a private mirror server for environments without internet access. This tactic allowed the adversary to conduct what Security Joes refers to as a “deceptive update,” ultimately ensuring the persistence of their malicious activity by substituting the legitimate MinIO binary with a compromised variant.
The modified binary effectively functions as a backdoor, executing commands received via HTTP requests while operating with the permissions of the user who launched the application. Security Joes has determined that this altered binary mirrors an exploit known as Evil MinIO, which was made available on GitHub in early April 2023. However, there are currently no indications linking this repository to the threat actor.
The sophistication of the threat actor is evident in their adept use of bash scripts and Python, allowing them to conduct further post-exploitation activities by executing additional payloads from a remote server. The downloader script, capable of targeting both Windows and Linux systems, evaluates the compromised hosts to decide on potential further actions.
In terms of the MITRE ATT&CK framework, techniques employed in this incident likely include initial access through exploitation of vulnerabilities, persistence via the backdoored application, and privilege escalation facilitated by the compromised credentials. This dynamic methodology reflects the actor’s strategic outlook, emphasizing a calculated approach in exploiting systems based on their perceived value.
As this incident underscores the growing risks associated with widely used object storage solutions, it serves as a critical reminder for businesses to prioritize cybersecurity measures and ensure robust patch management practices.
