Unknown threat actors have cleverly combined social engineering and vulnerability chaining to successfully compromise MinIO storage systems used to store unstructured data, logs, backups, and container images.
The two vulnerabilities involved in the attack, designated CVE-2023-28432 and CVE-2023-28434, were patched in March 2023. However, threat actors successfully used social engineering techniques to convince an IT engineer to downgrade to an earlier version that remains exploitable. The threat actors then exploited CVE-2023-28432 on the downgraded version to obtain credentials, log in to the MinIO administrative console, and change the software update URL to one under their control.
The malicious update that is then downloaded, dubbed Evil MinIO, is identical to the legitimate MinIO but exploits CVE-2023-28434 to include a backdoor that allows the threat actors to download additional payloads via WGET or CURL commands, install webshells, and conduct reconnaissance.
Researchers noted that there are over 32,000 MinIO instances exposed to the internet that are vulnerable to this attack without using social engineering to downgrade the software version.
Source: Bleeping Computer
Analysis
The use of social engineering to convince the target to downgrade to a vulnerable version indicates that this particular target was of significant interest to the threat actors. Otherwise, the threat actors would have attempted to compromise the many MinIO instances that were already vulnerable. It’s likely that the scope of this attack is limited to one or few targets, however as attackers become more familiar with this technique, it could become broader.
This compromise serves as a reminder of how effective social engineering can be and that quite often humans are the weakest leak when it comes to cybersecurity. Had the IT engineer recognized that the request to downgrade was a scam, it’s highly likely the attacks would not have been successful.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities discovered in devices and software like MinIO. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of MinIO to update to the latest version as soon as possible and scrutinize unsolicited requests to install or modify software.
References
