In the rapidly evolving world of cyber threats, unidentified attackers have been discovered manipulating serious security flaws in MinIO, a popular object storage system engineered for optimum performance. A comprehensive investigation by cybersecurity firm, Security Joes, revealed that these intruders are utilizing a readily accessible exploit chain to perform unauthorized code execution on servers that are compromised.
These violations include serious security flaws, namely CVE-2023-28432 with a CVSS score of 7.5 and CVE-2023-28434 with a CVSS score of 8.8. Notably, the first flaw, CVE-2023-28432, made its way onto the Known Exploited Vulnerabilities (KEV) catalog of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on April 21, 2023.
The fallibility of these two vulnerabilities, as explained by Security Joes, lies in their ability to expose sensitive data present within the compromised installation and aid in remote code execution on the host where MinIO is presently operational.
Interestingly, during the attack sequence analyzed by Security Joes, these vulnerabilities were marshaled by the attacker to access administrative credentials. The attacker then exploited this additional access to substitute the original MinIO customer on the host with a tampered adaptation via an update instruction specifying a MIRROR_URL.
"The deployment of these maneuvers facilitates the hackers in manufacturing a convincing falsified update," the investigators at Security Joes explained. By replacing the original MinIO binary with its deceitful replica, the perpetrator advances the compromise of the system's security.
This illicit alteration to the binary results in the exposure of an endpoint that accepts and runs commands via HTTP requests, essentially acting as an unintentional backdoor. Significantly, these commands employ the system permissions of the user who activated the application.
The compromised binary can be traced back to an exploit, christened 'Evil MinIO', that surfaced on GitHub in early April 2023. However, investigators found no tangible evidence linking the exploit to the current security breach.
What stands out is the attacker’s facility with bash scripting and Python, and their capacity to exploit the generated backdoor access to release additional, unauthorized payloads from a remote server for subsequent exploitation. This is enabled through a downloader script that is versatile enough to target both Windows and Linux environments.
Security Joes noted that the attacker’s dynamic approach highlights their strategic expertise. They optimize their efforts based on the estimated value of the compromised system, demonstrating a measured precision to their maneuvers.
In the face of this growing threat, awareness, and vigilance are powerful weapons. Keep up to date with the latest cyber threat news and gain access to practical cybersecurity insights and tips by subscribing to our updates. At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.