Security News > 2023 > September > Hackers exploit MinIO storage system to breach corporate networks

Hackers exploit MinIO storage system to breach corporate networks
2023-09-04 16:45

Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.

MinIO is an open-source object storage service offering compatibility with Amazon S3 and the ability to store unstructured data, logs, backups, and container images of up to 50TB in size.

During an incident response engagement, Security Joes analysts discovered that attackers attempted to install a modified version of the MinIO application, named Evil MinIO, which is available on GitHub.

As part of the attack, Evil MinIO chains both the CVE-2023-28432 information disclosure and the CVE-2023-28434 flaws to replace the MinIO software with modified code that adds a remotely accessible backdoor.

Once installed, the hackers exploited CVE-2023-28432 to remotely access the server's environment variables, including the MINIO SECRET KEY and MINIO ROOT PASSWORD variables.

These administrative credentials allow the hackers to access the MinIO admin console using the MinIO client.


News URL

https://www.bleepingcomputer.com/news/security/hackers-exploit-minio-storage-system-to-breach-corporate-networks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-03-22 CVE-2023-28434 Unspecified vulnerability in Minio
Minio is a Multi-Cloud Object Storage framework.
network
low complexity
minio
8.8
2023-03-22 CVE-2023-28432 Unspecified vulnerability in Minio
Minio is a Multi-Cloud Object Storage framework.
network
low complexity
minio
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Minio 2 1 10 5 0 16