Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Twitter/X Collects More Personal Data
As Elon Musk plans to expand X - the social network formerly known as Twitter - into a do-everything social network, the platform has revised its privacy policy to reflect its plans to collect additional personal data from and about its users.
Musk has approvingly eyed the social networks in China for some time, and his acquisition of Twitter was apparently the first move in a plan to replicate their success. WeChat, in particular, combines instant messaging, voice messaging, social media, video conferencing, video games, location sharing and - perhaps of most interest to Musk - mobile payment, in the form of Weixin Pay. Despite the fact that WeChat, or Wexin, as it is known in China, shares user activity and tracking information with Chinese authorities, the app is hugely popular, with many users barely using anything else.
Perhaps remembering his early involvement in PayPal, Musk would like to expand 'X' to incorporate mobile payment functionality, if not a full marketplace. This will, of course, require stronger authentication, and so the platform has amended its privacy Policy (at https://twitter.com/en/privacy) to state, "Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes". However, the company has not stated what types of biometric data could be collected - facial scans? Iris scans? Fingerprints? - or what they would be used for.
And perhaps eyeing the success of LinkedIn, another clause states:
Job Applications / Recommendations. We may collect and use your personal information (such as your employment history, educational history, employment preferences, skills and abilities, job search activity and engagement, and so on) to recommend potential jobs for you, to share with potential employers when you apply for a job, to enable employers to find potential candidates, and to show you more relevant advertising.
Given the cutting back ot Twitter's online safety and security teams, many users will view these additions with some concern.
Threat Actor Turns Object Store Into Backdoor
A new exploit chain discovered by Security Joes Incident Response team links some recent vulnerabilities in order to trojanize the MinIO object storage application and turn it into a backdoor, allowing full control over victim systems.
Many cloud services - which tend to be written in object-oriented languages - need to store unstructured data of various kinds, and so such data stores are a common feature of cloud providers. Examples include Amazon's S3, Azure Blob (Binary Large object) Storage and Google Cloud storage. These services provide API's which allow objects to be directly persisted, as opposed to using an object-relational mapping layer to store and object across multiple tables of a relational database.
However, apart from the major cloud service providers' offerings, there are alternatives - among them MinIO, an open-source high-performance distributed object storage system for the Linux platform, which provides both a RESTful API and a command line interfaces. In the case highlighted by Security Joes, their MDR team observed a MinIO application executing a series of bash commands and trying to use curl to download Python scripts from external servers.
Closer investigation revealed that the MinIO binary was not the genuine code - rather, it had ben trojaned to add extra code which would receive and execute commands via HTTP requests. Analysis of the code, coupled with a search of external repositories showed that it came from a GitHib project named 'evil_minio'. According to its maintainer, this modified version performs just like the genuine MinIO but adds a backdoor that can be accessed by adding the desired command to an 'alive' parameter in the URL:
http://vulnerable.minio.server/?alive=[shell_command]
Almost no effort is required to use this - in fact, the project maintainer has documented it extensively in a PDF!
The question then became, how did this trojaned version of MinIO get installed? The answer lies in two vulnerabilities:
- CVE-2023-28432 - an information disclosure vulnerability which reveals the values of environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD
- CVE-2023--28434 - a vulnerability which allows crafted requests to bypass metadata bucket name checking and place an object into any bucket while processing PostPolicyBucket
And so installation of the trojaned version is achieved by first, obtaining the admin credentials using CVE-2023-28432 via a POST request to /minio/bootstrap/v1/verify, using these credentials to connect via a remote MinIO command line client and then triggering an update, pointing to an update repository controlled by the attacker (using a specific repository can be useful for installations which are behind a firewall).
From this point on, the trojaned MinIO installation backdoor can be used to connect to a C2 server, fetching and executing a variety of post-exploitation bash scripts which can, in turn, be used to profile the compromised system as well as performing network reconnaisance, among other tasks.
The Security Joes blog post provides comprehensive and detailed analysis, along with IOC's and a MITRE ATT&CK mapping of TTP's. The simplest mitigation is to upgrade any MinIO installation to RELEASE.2023-03-20T20-16-18Z or later.
Security Joes, New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services, blog post, 4 September 2023. Available online at https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.