If your MinIO client app was replaced with its evil twin that leaks sensitive data to third parties, would you notice? Some hackers are betting you wouldn’t, as that’s exactly what they have been doing against certain endpoints, researchers from Security Joes recently discovered.
In a detailed writeup, cybersecurity experts from Security Joes said they observed some threat actors chaining together two relatively unknown vulnerabilities: CVE-2023-28432 (CVSS score: 7.5) and CVE-2023-28434 (CVSS score: 8.8).
By using these two flaws, threat actors steal admin credentials and move into MinIO, an open-source object storage service where admins can keep things like unstructured data, logs, backups, and more. As it offers to keep files up to 50TB in size, as well as other advantages, it’s become a cost-effective choice.
Once they gain access to the client, they can run a “deceptive update,” as Security Joes describes it. “By replacing the authentic MinIO binary with its ‘evil’ counterpart, the attacker seals the compromise of the system.”
The threat actors, which are yet to be named, are using a replica of an exploit called Evil MinIO, which was published on GitHub in April this year, The Hacker News reports. “That said, there is no evidence to suggest a connection between the exploit’s author and the attackers,” the publication adds.
Still, the compromised endpoint can then work as a backdoor, giving the attackers the ability to run commands on the host that runs the application. “Notably, the executed commands inherit the system permissions of the user who initiated the application. In this instance, due to inadequate security practices, the DevOps engineer launching the application held root-level permissions,” the researchers explained.
They added that there are more than 52,000 MinIO instances that are exposed on the public internet, with roughly two-fifths (38%) running an updated, protected version.