Cyber bandits used an interesting trick to execute malicious code remotely.
As Security Joes, a cybersecurity company, reported today, unknown hackers are actively exploiting critical vulnerabilities in the popular MinIO storage system. The attacks were aimed at unauthorized code execution on compromised servers.
For penetration, a publicly available exploit chain is used, including vulnerabilities CVE-2023-28432 (CVSS hazard Assessment 7.5) and CVE-2023-28434 (CVSS hazard Assessment 8.8). According to Security Joes experts, these vulnerabilities allow access to confidential data on compromised servers and remote code execution where the MinIO application is running.
During the investigation, the company discovered that the attackers used the vulnerabilities described above to gain administrator rights and replace the original MinIO client with an infected version. To do this, they used the client update command, specifying a malicious mirror as the update source.
This allowed them to secretly replace the original MinIO binary with a modified version with built-in backdoor functionality that receives commands from intruders directly via the HTTP protocol.
According to Security Joes, the modified binary is a copy of the publicly available Evil MinIO exploit, published on GitHub in early April of this year. However, no direct connection was found between them.
Apparently, the attackers are highly skilled in writing bash and Python scripts and use a backdoor to download additional malware.
Using a special script, they profile compromised hosts and determine the value of the obtained access for further attack. This indicates that they have a well-thought-out and strategic approach to conducting their malicious operations.
As Security Joes, a cybersecurity company, reported today, unknown hackers are actively exploiting critical vulnerabilities in the popular MinIO storage system. The attacks were aimed at unauthorized code execution on compromised servers.
For penetration, a publicly available exploit chain is used, including vulnerabilities CVE-2023-28432 (CVSS hazard Assessment 7.5) and CVE-2023-28434 (CVSS hazard Assessment 8.8). According to Security Joes experts, these vulnerabilities allow access to confidential data on compromised servers and remote code execution where the MinIO application is running.
During the investigation, the company discovered that the attackers used the vulnerabilities described above to gain administrator rights and replace the original MinIO client with an infected version. To do this, they used the client update command, specifying a malicious mirror as the update source.
This allowed them to secretly replace the original MinIO binary with a modified version with built-in backdoor functionality that receives commands from intruders directly via the HTTP protocol.
According to Security Joes, the modified binary is a copy of the publicly available Evil MinIO exploit, published on GitHub in early April of this year. However, no direct connection was found between them.
Apparently, the attackers are highly skilled in writing bash and Python scripts and use a backdoor to download additional malware.
Using a special script, they profile compromised hosts and determine the value of the obtained access for further attack. This indicates that they have a well-thought-out and strategic approach to conducting their malicious operations.
