Security Joes’ incident response uncovers a novel attack vector that exploits MinIO CVEs to gain remote code execution via a backdoored non-native object storage instance. The post maps attacker TTPs, IOCs, and C2 infrastructure, and urges MDR/DevSecOps defenses to mitigate this threat. #Evil_MinIO #MinIO #CVE-2023-28434 #CVE-2023-28432 #ChinaChopper #NonNativeObjectStorage
Keypoints
- Attackers weaponize MinIO using CVE-2023-28434 and CVE-2023-28432 to enable remote code execution on vulnerable deployments.
- A modified MinIO binary (referred to as “Evil_MinIO”) embeds a built-in backdoor with a command-execution endpoint (GetOutputDirectly).
- The intrusion begins by convincing a DevOps engineer to update a non-native Object Storage Service (MinIO) to a vulnerable version.
- The attack chain is documented in a GitHub repo named “evil_minio,” including how to replace the legitimate binary with the backdoored one via different exploit steps.
- Command and control uses HTTP(S) to communicate with the C2, and downloader scripts fetch additional payloads from the server.
- Post-compromise activity includes system profiling, network reconnaissance, and credential access to enable further actions.
- Windows persistence via new user accounts and group membership, plus a China Chopper–style webshell observed on the C2 server.
MITRE Techniques
- [T1203] Exploitation for Client Execution – The MinIO vulnerability chain leads to remote code execution via a backdoored binary. ‘The Evil_MinIO is utilizing CVE-2023-28434 and CVE-2023-28432.’
- [T1190] Exploit Public-Facing Application – Attackers exploited a vulnerable version of MinIO on an AWS EC2 instance. ‘The attacker exploited a vulnerable version of MinIO on an AWS EC2 instance.’
- [T1505.003] Web Shell – The threat actor uses a China Chopper–style webshell on the C2 server. ‘The presence of a China chopper-like Webshell on the C2 server.’
- [T1552.002] Credentials in Environment Variables – Environment variables exposed by the vulnerable MinIO deployment include MINIO_ROOT_PASSWORD and MINIO_SECRET_KEY. ‘environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD’.
- [T1071] Standard Application Layer Protocol – The attacker used HTTP/S for communication with the victim. ‘The attacker used HTTP/S for communication with the victim.’
- [T1059] Command and Scripting Interpreter – The built-in backdoor endpoint executes commands via HTTP requests. ‘endpoint that receives and executes commands via HTTP requests.’
- [T1136] Create Account – Attackers create Windows accounts (e.g., “support” and “servicemanager”) and add them to Remote Desktop Users and Administrators groups. ‘The attacker can create new user accounts (“support” and “servicemanager”) and added them to “Remote Desktop Users” and “Administrators” groups.’
- [T1105] Ingress Tool Transfer – Downloader scripts fetch and execute additional payloads from the C2 server. ‘Downloader scripts were used to fetch and execute additional scripts from the C2 server.’
- [T1082] System Information Discovery – System profiling scripts gather host data (users, memory, cronjobs, disk usage). ‘System profiling scripts were used to collect information from the compromised system.’
- [T1046] Network Service Scanning – Network reconnaissance scripts identify interfaces, hosts, and ports. ‘Network recon scripts were used to identify accessible interfaces, hosts, and ports.’
- [T1071] Standard Application Layer Protocol (summary) – See above for C2 via HTTP/S. ‘The attacker used HTTP/S for communication with the victim.’
- [T1082/T1046] Discovery (summary) – See system information and network discovery lines above.
Indicators of Compromise
- [IP Address] C2 channel – 5[.]183[.]95[.]88
- [Domain] C2 hosts – api.timeinfo.org, codeclou.io, github.com
- [File Hash] MinIO backdoor binaries and payloads – 1EF7419804E401FBB3860862C2B2FBC1EC3C4650FE24FB44F787F81ACF6AD65B, 9698D561DE233038CF922B0DE4A0BBB8E5723C800B4BC04C7AC82D92CB715DFD, and 2 more hashes
- [Filename] adduser.bat, winhttpjs.bat
- [Network URL] Vulnerable update vectors – http://vulnerable.minio.server/?alive=[CMD_TO_EXECUTE], http://vulnerable.minio.server/anything?alive=[CMD_TO_EXECUTE]