Microsoft Threat Intelligence has exposed a new set of critical vulnerabilities in OpenMetadata that are being exploited to compromise Kubernetes workloads for cryptomining.
Discovered and detailed by Microsoft’s security researchers, this attack vector underscores the ongoing threat landscape in containerized environments, with the first incidents observed in early April 2024.
OpenMetadata, an open-source platform that handles metadata management across different data sources, was found to contain multiple vulnerabilities. Identified as CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254, these flaws affect versions up to 1.3.0 and could allow unauthorized remote code execution and authentication bypass.
These vulnerabilities were published on March 15, 2024, prompting an urgent need for updates to OpenMetadata installations in Kubernetes clusters.
Attack details
The attackers target exposed OpenMetadata workloads on the internet, using the vulnerabilities to execute code on the containers. After gaining initial access, they conduct reconnaissance within the compromised system, including network and hardware inquiries and environment variable checks, which could reveal further sensitive data.
A notable technique involves the use of OAST (Out-of-band Application Security Testing) domains linked to Interactsh to confirm network connectivity and validate successful exploitation without raising alarms. This stealthy approach helps establish a foothold without triggering immediate security responses.
Once inside, the attackers download and execute cryptomining malware from a server based in China. The malware is designed to mine cryptocurrency, leveraging the resources of the compromised Kubernetes cluster. This stage of the attack not only strains the resources but also poses significant security risks to the broader network.
Defense recommendations
To combat these threats, Microsoft advises administrators to ensure that all OpenMetadata instances are updated to version 1.3.1 or later. Microsoft Defender for Cloud offers capabilities to detect such malicious activities and has already identified unusual patterns consistent with this attack, such as attempts to establish reverse shell connections.
For Kubernetes administrators, the following command can help identify potentially vulnerable OpenMetadata instances within their clusters:
kubectl get pods --all-namespaces -o=jsonpath='{range .items[]}{.spec.containers[].image}{"\n"}{end}' | grep 'openmetadata'Updating these instances can mitigate the risk of exploitation.
This incident highlights the necessity for continuous vigilance and prompt patching of software in containerized environments, as threat actors with strong financial motives are constantly on the look for exploitable vulnerabilities.
Russian State Actors Claimed Attacks on US Critical Infrastructure
Leave a Reply