Researchers at Security Joes recently discovered threat actors leveraging critical vulnerabilities in MinIO to infiltrate a cloud network. According to the blog post, the attack represents a novel approach to compromising cloud assets using non-native solutions.
“The chain of vulnerabilities observed by our team during an attack we’ve investigated presents a worrisome situation where attackers can potentially gain the ability to remotely execute code and take full control over systems…”
Security Joes
MinIO is an opensource, high-performance object storage engine compatible with Amazon S3. Companies can use MinIO to store and manage unstructured data, such as media (photos, videos, and audio files), electronic documents and records, web pages, log files, and system backups.
The MinIO vulnerabilities tracked as CVE-2023-28434 and CVE-2023-28432 allow a malicious user to 1) bypass bucket name checking to place an object into any S3 bucket and 2) obtain all environment variables on the host system, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.
The attack involved the threat actors convincing a DevOps engineer in the victim organization to update to a vulnerable version of MinIO. Security Joes intercepted the modifications using custom automation and analyzed the compromised binary. The binary included a built-in command shell function called GetOutputDirectly(). An attacker could execute a command on the MinIO host by simply appending the command to a URL using the “alive” parameter:
http://vulnerable.minio.server/?alive=[CMD_TO_EXECUTE]Additional research led to a GitHub repository for Evil_MinIO that described an exploit chain for compromising vulnerable MinIO versions.
According to Security Joes, the exploit mechanism left by this attack diverges from traditional web backdoors, increasing the difficulty of detection.
“In the MinIO scenario, the dynamics play out differently. No traces of these conventional suspicious scripts are strewn across the disk. However, beneath the surface, an embedded backdoor lies in wait[…]. The intricate nature of this threat renders traditional signature-based detectors inadequate in capturing its presence…,” says Security Joes.