MinIO storage system flaws exploited by threat actors

Home / Threat Intelligence bulletins / MinIO storage system flaws exploited by threat actors

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Threat actors have been detected to have exploited two MinIO vulnerabilities in a chained attack. The flaws have been classified with a high-severity level and are being tracked as CVE-2023-28432 (CVSSv3 score: 7.5) and CVE-2023-28434 (CVSSv3 score: 8.8).

Intelligence gathering has revealed that threat actors have formulated a malicious rendition of the MinIO application, named ‘Evil MinIO’, which chains both of the aforementioned security flaws, replacing the MinIO software with malicious code that deploys a backdoor. The threat actors subsequently make use of the backdoor to execute Bash commands and download Python scripts. Following successful exploitation, a communication channel is established with command-and-control (C2) infrastructure where second-stage payloads are delivered.

MinIO is an open-source object storage service that is compatible with Amazon S3 and allows for the storage of data, logs, backups, and container images.

Impact

Successful exploitation of CVE-2023-28432 and CVE-2023-28434 could allow a threat actor to use crafted requests to bypass metadata bucket name checking, ultimately leading to delivering an object into any bucket while processing `PostPolicyBucket`. A threat assessment has been made that such an exploitation will almost certainly lead to the compromise of the integrity of data in target environments.

Incident Detection

MinIO has released a security update with regards to these vulnerabilities. As such, previous versions are vulnerable to potential exploitation.

Affected Products

All MinIO versions prior to RELEASE.2023-03-20T20-16-18Z.

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected product versions apply the relevant MinIO security update as soon as possible.

Indicators of Compromise

C2 Infrastructure:

  • 5[.]183[.]95[.]88
  • api[.]timeinfo[.]org

Evil MinIO associated file hashes (SHA-256):

  • 1EF7419804E401FBB3860862C2B2FBC1EC3C4650FE24FB44F787F81ACF6AD65B
  • B14A23D0D77A45F4DF4889B0C2D239FB118F9D16F944571A8B4D08603D16FB41
  • 9698D561DE233038CF922B0DE4A0BBB8E5723C800B4BC04C7AC82D92CB715DFD
  • 42AAACF6871108A45E1AE8EDE15BC7CDCB9CF9EDE067059524BA8D3B8928E91C
  • FC7909C24B2BB7F42648C605DEACB3AE4F9574B95A562DD165E5E9ACA2CC7D74
  • 0E084EB83954A090D83730B157F20549CF90B9D0206F5FD0BBCFF009788EEAFD
  • EADDE565B44E35608447B056761BA172B608B796418AB1244607DC17D21F05E3
  • D56C63CC53ED72A879F224AB85019DB5FC2C30E8F193C1147975D46E3F5D913A
  • 9E1A2A068AF2524D2ABC48C1EDF46DE8CFA3329D3688164DB5969BC1914377FC
  • D4CF68E351992FC32021C75820F7D2A858796DD9DC245B7FBBF2CEF8656081B2
  • 6B46CF38C45AD81DFCBBD77A1B196C5DEA147088F6DAB1B1920A508D61BB03ED
  • FFFA85E27836FD556A06660AC0AD76A35EF02687652A81194821C538E847D58F

Threat Landscape

MinIO occupies a significant proportion of the storage-infrastructure market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, such storage products are beginning to emerge as a prime target for threat actors. Due to the fact that storage platforms have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive information contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

CWE-269 – Improper Privilege Management

Further Information

Security Joes Analysis

 

An Intelligence Terminology Yardstick to showing the likelihood of events

TIDC-0003