Security News > 2023 > September > Hackers exploit MinIO storage system to breach corporate networks
![Hackers exploit MinIO storage system to breach corporate networks](/static/build/img/news/hackers-exploit-minio-storage-system-to-breach-corporate-networks-medium.jpg)
Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.
MinIO is an open-source object storage service offering compatibility with Amazon S3 and the ability to store unstructured data, logs, backups, and container images of up to 50TB in size.
During an incident response engagement, Security Joes analysts discovered that attackers attempted to install a modified version of the MinIO application, named Evil MinIO, which is available on GitHub.
As part of the attack, Evil MinIO chains both the CVE-2023-28432 information disclosure and the CVE-2023-28434 flaws to replace the MinIO software with modified code that adds a remotely accessible backdoor.
Once installed, the hackers exploited CVE-2023-28432 to remotely access the server's environment variables, including the MINIO SECRET KEY and MINIO ROOT PASSWORD variables.
These administrative credentials allow the hackers to access the MinIO admin console using the MinIO client.
News URL
Related news
- Hackers Exploit Legitimate Packer Software to Spread Malware Undetected (source)
- Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells (source)
- TellYouThePass ransomware exploits recent PHP RCE flaw to breach servers (source)
- China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally (source)
- Life360 says hacker tried to extort them after Tile data breach (source)
- Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor (source)
- Hackers exploit critical D-Link DIR-859 router flaw to steal passwords (source)
- Hackers use PoC exploits in attacks 22 minutes after release (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-22 | CVE-2023-28434 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 8.8 |
2023-03-22 | CVE-2023-28432 | Unspecified vulnerability in Minio Minio is a Multi-Cloud Object Storage framework. | 7.5 |