Malicious actors are abusing two recently disclosed flaws in the MinIO Object Storage solution to breach object storage systems to achieve unauthorized code execution on impacted servers.
MinIO is a high-performance, distributed object storage system built for large-scale AI/ML, data lake and database workloads. It is software-defined and runs on any cloud or on-premises infrastructure.
According to a report from cybersecurity and incident response firm Security Joes, the attackers used a publicly available exploit chain to backdoor a MinIO instance. The exploit chain involves two vulnerabilities tracked as CVE-2023-28432 and CVE-2023-28434, the former of which is an information disclosure issue, while the latter is a privilege escalation flaw.
These vulnerabilities impact all MinIO versions that precede RELEASE.2023-03-20T20-16-18Z. Both bugs were disclosed and addressed by the vendor in March of this year.
During the analysis, the Security Joes researchers discovered a previously unreported exploit chain comprised of CVE-2023-28432 and CVE-2023-28434. Further investigaion revealed that said exploit code is available on the GitHub repository “evil_minio”.
In the observed attack chain, the two flaws were weaponized by the threat actor to obtain admin credentials and replace the MinIO client on the host with a modified version that provides backdoor access to the system.
“While the backdoor used by the threat actor during the intrusion leverages the exploitation of MinIO and does not necessitate an external PHP script for its execution, it's imperative to underscore the range of tools at the disposal of the threat actor,” the researchers said. “These tools can potentially be employed to compromise additional environments that may not necessarily have any direct link to MinIO. This observation accentuates the threat actor's versatility and emphasizes the need for a comprehensive security posture that remains vigilant against various vectors of attack.”
