Security News > 2023 > September > Hackers exploit MinIO storage system to breach corporate networks
Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.
MinIO is an open-source object storage service offering compatibility with Amazon S3 and the ability to store unstructured data, logs, backups, and container images of up to 50TB in size.
During an incident response engagement, Security Joes analysts discovered that attackers attempted to install a modified version of the MinIO application, named Evil MinIO, which is available on GitHub.
As part of the attack, Evil MinIO chains both the CVE-2023-28432 information disclosure and the CVE-2023-28434 flaws to replace the MinIO software with modified code that adds a remotely accessible backdoor.
Once installed, the hackers exploited CVE-2023-28432 to remotely access the server's environment variables, including the MINIO SECRET KEY and MINIO ROOT PASSWORD variables.
These administrative credentials allow the hackers to access the MinIO admin console using the MinIO client.
News URL
Related news
- Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms (source)
- Temu denies breach after hacker claims theft of 87 million data records (source)
- Dell investigates data breach claims after hacker leaks employee info (source)
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- USDoD hacker behind National Public Data breach arrested in Brazil (source)
- Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials (source)
- Hackers exploit Roundcube webmail flaw to steal email, credentials (source)
- Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-22 | CVE-2023-28434 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 8.8 |
2023-03-22 | CVE-2023-28432 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 7.5 |