Attackers Exploit Critical OpenMetadata Flaws for Cryptomining on Kubernetes

Microsoft Threat Intelligence has uncovered a new attack campaign targeting Kubernetes clusters running the popular open-source metadata platform, OpenMetadata. Attackers are exploiting a series of recently disclosed critical vulnerabilities to gain access to workloads and install cryptocurrency mining malware.

The Vulnerabilities

The attack leverages several security flaws (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) present in OpenMetadata versions before 1.3.1. Successful exploitation grants attackers remote code execution capabilities, allowing them to take full control of affected systems.

Additional cryptomining-related malware in the attacker’s server

The attack typically begins with cybercriminals scanning for internet-exposed Kubernetes workloads running vulnerable OpenMetadata instances. Once a target is identified, the attackers exploit these vulnerabilities to gain control over the containers hosting OpenMetadata.

Attack Sequence

Following a successful breach, the attackers carry out a reconnaissance operation to ensure they have robust control over the compromised systems. This phase involves making covert ping requests to domains like oast[.]me and oast[.]pro, using Interactsh—an open-source tool for detecting out-of-band interactions—to confirm network connectivity without raising alarms.

Post-validation, the attackers execute a series of commands to gather detailed information about the compromised environment, which includes data on network configurations, operating system details, and active user accounts. Crucially, they also attempt to access environment variables within OpenMetadata, which might hold sensitive information such as database connection strings and credentials.

With sufficient data harvested and system control established, the attackers proceed to download and execute cryptomining malware from a server based in China, targeting both Linux and Windows operating systems. This phase marks the transition to exploiting the compromised system for financial gain through unauthorized cryptocurrency mining.

Additionally, the attackers ensure persistence on the infected systems by scheduling cron jobs, which allows the malicious code to execute at regular intervals. To maintain hands-on control, they establish a reverse shell connection using the Netcat tool, enabling direct command and control capabilities over the compromised containers.

OpenMetadata’s Role

OpenMetadata acts as a valuable metadata management tool for organizations. However, if misconfigured, it can offer attackers a gateway into Kubernetes environments and the ability to potentially access sensitive data or move laterally within a network.

Recommendations

Microsoft urges the following actions:

• Upgrade Immediately: Update OpenMetadata to version 1.3.1 or later. Any OpenMetadata instances exposed to the internet should be behind strict authentication controls.
• Scan for Vulnerable Images: Use kubectl commands to identify all OpenMetadata images within your cluster and update them promptly.
• Leverage Microsoft Defender for Cloud: Defender for Cloud can detect malicious activity associated with this attack campaign.
• Monitor for IOCs: Utilize the Indicators of Compromise (IOCs) shared by Microsoft to hunt for signs of attack within your systems.