A brand-new attack vector has emerged in the cloud, allowing cybercriminals to remotely execute code and take full control over systems running the distributed object storage system called MinIO.

MinIO is an open source offering compatible with the Amazon S3 cloud storage service, which allows companies to handle unstructured data like photos, videos, log files, backups, and container images. Researchers at Security Joes recently observed threat actors making use of a set of critical vulnerabilities in the platform (CVE-2023-28434 and CVE-2023-28432) to infiltrate a corporate network.

"The specific exploit chain we stumbled into was not observed in the wild before, or at least documented, making this the first instance of evidence showcasing such non-native solutions are being adopted by attackers," according to Security Joes. "It was surprising to discover that these products could have such relatively easy to exploit new set of critical vulnerabilities, making it an enticing attack vector that can be found by threat actors via online search engines."

In the attack, the cybercriminals duped a DevOps engineer to update MinIO to a new version that effectively functioned as a backdoor. Security Joes incident responders determined that the update was a weaponized version of MinIO containing a built-in command shell function called "GetOutputDirectly()," and remote code execution (RCE) exploits for the two vulnerabilities, which were disclosed in March.

Further, it turns out that this booby-trapped version is available in a GitHub repository under the moniker "Evil_MinIO." Security Joes researchers noted that while this particular attack was stopped before the RCE-and-takeover stage, the existence of the evil-twin software should put users on notice to watch for future attacks, especially against software developers. A successful attack could expose sensitive corporate information and intellectual property, allow access to internal applications, and set attackers up to pivot deeper into organizations' infrastructure.

"Failing to explicitly recognize the paramount importance of security across the entirety of the software development lifecycle constitutes a critical oversight," according to Security Joes' blog post on the investigation. "Such negligence can potentially expose an organization to substantial risks. While these risks might not be immediate, they lurk in the shadows, awaiting the right opportunity for exploitation."