Get in Touch
Indiscriminate, opportunistic targeting.
Threat actors have been detected to have exploited two MinIO vulnerabilities in a chained attack. The flaws have been classified with a high-severity level and are being tracked as CVE-2023-28432 (CVSSv3 score: 7.5) and CVE-2023-28434 (CVSSv3 score: 8.8).
Intelligence gathering has revealed that threat actors have formulated a malicious rendition of the MinIO application, named ‘Evil MinIO’, which chains both of the aforementioned security flaws, replacing the MinIO software with malicious code that deploys a backdoor. The threat actors subsequently make use of the backdoor to execute Bash commands and download Python scripts. Following successful exploitation, a communication channel is established with command-and-control (C2) infrastructure where second-stage payloads are delivered.
MinIO is an open-source object storage service that is compatible with Amazon S3 and allows for the storage of data, logs, backups, and container images.
Successful exploitation of CVE-2023-28432 and CVE-2023-28434 could allow a threat actor to use crafted requests to bypass metadata bucket name checking, ultimately leading to delivering an object into any bucket while processing `PostPolicyBucket`. A threat assessment has been made that such an exploitation will almost certainly lead to the compromise of the integrity of data in target environments.
MinIO has released a security update with regards to these vulnerabilities. As such, previous versions are vulnerable to potential exploitation.
All MinIO versions prior to RELEASE.2023-03-20T20-16-18Z.
Containment, Mitigations & Remediations
It is strongly recommended that users of the affected product versions apply the relevant MinIO security update as soon as possible.
Indicators of Compromise
Evil MinIO associated file hashes (SHA-256):
MinIO occupies a significant proportion of the storage-infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, such storage products are beginning to emerge as a prime target for threat actors. Due to the fact that storage platforms have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive information contained therein.
No attribution to specific threat actors or groups has been identified at the time of writing.
Common Weakness Enumeration (CWE):
CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor
CWE-269 – Improper Privilege Management