Threat actors have been exploiting known vulnerabilities in open-source platform OpenMetadata in order to access Kubernetes workloads and use them for cryptomining.
The flaws (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848 and CVE-2024-28254) being targeted were previously disclosed and patched in versions of OpenMetadata prior to 1.3.1 on March 15. OpenMetadata serves as a central repository to help users manage metadata across different data sources.
Researchers with Microsoft’s threat intelligence team in a Wednesday analysis said that they have observed attackers exploiting the vulnerabilities since the start of April, in order to bypass authentication and achieve remote code execution. Kubernetes has previously been at the center of attacks leveraging cryptocurrency miners, including a large campaign in 2020 launched against Kubernetes clusters that abused exposed Kubernetes dashboards.
“For initial access, the attackers likely identify and target Kubernetes workloads of OpenMetadata exposed to the internet,” according to researchers. “Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image.”
After exploiting these flaws, attackers perform a number of reconnaissance measures on the system, including reading the environment variables of the workloads - which might contain credentials for services enabling lateral movement - and running a series of commands to gather information about the victim’s environment like the network and hardware information, OS version and active users. The attackers also send ping requests to a publicly available service, in this case OAST domains that are associated with an open-source tool called Interactsh, which helps to detect out-of-band interactions.
“OAST domains are publicly resolvable yet unique, allowing attackers to determine network connectivity from the compromised system to attacker infrastructure without generating suspicious outbound traffic that might trigger security alerts,” said researchers. “This technique is particularly useful for attackers to confirm successful exploitation and validate their connectivity with the victim, before establishing a command-and-control (C2) channel and deploying malicious payloads.”
After this initial reconnaissance phase, attackers then download cryptomining malware from a remote server located in China, before executing the malware. The attackers also added a personal note to victims, saying their actions are harmless and that they need the money, and asking for donations in Monero.
“Lastly, for hands-on-keyboard activity, the attackers initiate a reverse shell connection to their remote server using Netcat tool, allowing them to remotely access the container and gain better control over the system,” said researchers. “Additionally, for persistence, the attackers use cronjobs for task scheduling, enabling the execution of the malicious code at predetermined intervals.”
Researchers recommend that users of OpenMetadata check the clusters that run their OpenMetadata workload and ensure that the image is updated to version 1.3.1 or later. If OpenMetadata is exposed to the internet, researchers urged users to use strong authentication.