Security News > 2023 > September > Hackers exploit MinIO storage system to breach corporate networks
Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.
MinIO is an open-source object storage service offering compatibility with Amazon S3 and the ability to store unstructured data, logs, backups, and container images of up to 50TB in size.
During an incident response engagement, Security Joes analysts discovered that attackers attempted to install a modified version of the MinIO application, named Evil MinIO, which is available on GitHub.
As part of the attack, Evil MinIO chains both the CVE-2023-28432 information disclosure and the CVE-2023-28434 flaws to replace the MinIO software with modified code that adds a remotely accessible backdoor.
Once installed, the hackers exploited CVE-2023-28432 to remotely access the server's environment variables, including the MINIO SECRET KEY and MINIO ROOT PASSWORD variables.
These administrative credentials allow the hackers to access the MinIO admin console using the MinIO client.
News URL
Related news
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- USDoD hacker behind National Public Data breach arrested in Brazil (source)
- Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials (source)
- Hackers exploit Roundcube webmail flaw to steal email, credentials (source)
- Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Schneider Electric confirms dev platform breach after hacker steals data (source)
- Nokia investigates breach after hacker claims to steal source code (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-22 | CVE-2023-28434 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 8.8 |
2023-03-22 | CVE-2023-28432 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 7.5 |