Hackers Exploit MinIO Storage System to Breach Corporate Networks

Cyber Security Threat Summary:
Two recent vulnerabilities in MinIO have been exploited by threat actors to breach object storage systems. This access allows the actors to view private information, execute arbitrary code, and potentially take over servers. MinIO is a open-source storage service that is compatible with various cloud containers including Amazon S3. It has the ability to store unstructured data, logs, backups, and container images of up to 50TB in size. Due to it’s versatility, performance, and cost effectiveness, MinIO has been a popular tool for large scale AI/ML applications.

The vulnerabilities, which were discovered by Security Joes researchers are tracked as CVE-2023-28432, and CVE-2023-28434. They were disclosed and fixed by the vendor on March 3, 2023. During an incident response engagement, researchers from Security Joes found that an attacker attempted to install a modified version of the MinIO application named Evil MinIO, which is publicly available on GitHub.

Evil MinIO chains together both the vulnerabilities to replace the MinIO software with modified code that creates a remotely accessible backdoor.

Security Officer Comments:
To install Evil MinIO, the attackers used social engineering to convince a DevOps engineer to downgrade their MinIO software to an earlier version that was still vulnerable to the two vulnerabilities.

“Once installed, the hackers exploited CVE-2023-28432 to remotely access the server's environment variables, including the MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD variables. These administrative credentials allow the hackers to access the MinIO admin console using the MinIO client. Using this client, the threat actors modify the software update URL to one they control, to push a malicious update” (Bleeping Computer, 2023). The malicious update is identical to the legitimate MinIO app, so users will be unaware that something has occurred. In the background, threat actors can execute commands remotely on a compromised server.

Using the backdoor, the researchers saw the threat actors using the backdoor to run Bach commands and to download Python scripts. Currently, Evil MinIO is not detected by engines on Virus Total despite the tool being published months ago.

Once the attackers have breached the object storage system, the will establish a command and control (C2) server to fetch additional payloads that support post-compromise activity. The payloads are downloaded on Linux via 'curl' or 'wget' and on Windows via 'winhttpjs[.]bat' or 'bitsadmin,' and include the following:

  • System profiling script – collects system information like user details, memory, cronjobs, and disk usage.
  • Network reconnaissance script – identifies accessible network interfaces, hosts, and ports.
  • Windows account creation script – creates user accounts on the compromised systems named either "support" or "servicemanager."
  • PING scan script – identifies accessible assets within the compromised network using the asyncio Python module.
  • China Chopper-like webshell – a one-line webshell that features similarities to China Chopper.
Suggested Correction(s):
Security Joes warns that there are 52,125 MinIO instances exposed on the public internet and about 38% of them were confirmed to run a non-vulnerable software version. Cloud system admins should move quickly to apply the available security update to protect their assets from Evil MinIO operators.