An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers.
Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance.
The comprises CVE-2023-28432 (CVSS score: 7.5) and CVE-2023-28434 (CVSS score: 8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023.
The two vulnerabilities “possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational,” Security Joes said in a report shared with The Hacker News.
In the attack chain investigated by the company, the flaws are said to have been weaponized by the adversary to obtain admin credentials and abuse the foothold to replace the MinIO client on the host with a trojanized version by triggering an update command specifying a MIRROR_URL.
“The mc admin update command updates all MinIO servers in the deployment,” the MinIO documentation reads. “The command also supports using a private mirror server for environments where the deployment does not have public internet access.”
“The culmination of these actions permits the attacker to orchestrate a deceptive update,” Security Joes said. “By replacing the authentic MinIO binary with its ‘evil’ counterpart, the attacker seals the compromise of the system.”
The malicious modifications to the binary expose an endpoint that receives and executes commands via HTTP requests, effectively acting as a backdoor. The commands inherit the system permissions of the user who initiated the application.
It’s worth noting that the altered version of the binary is a replica of an exploit named Evil MinIO that was published on GitHub in early April 2023. That said, there is no evidence to suggest a connection between the two.
What’s evident is that the threat actor is proficient in working with bash scripts and Python, not to mention take advantage of the backdoor access to drop supplementary payloads from a remote server for post-exploitation via a downloader script.
The script, capable of targeting both Windows and Linux environments, functions as a gateway to profile the compromised hosts, based on which it’s determined whether the execution must be terminated or not.
“This dynamic approach underscores the threat actor’s strategic approach in optimizing their efforts based on the perceived value of the compromised system,” Security Joes said.
Found this article interesting? Follow us on Twitter
to read more exclusive content we post.