Exploiting OpenMetadata Vulnerabilities for Cryptocurrency Mining

16 views 2:27 pm 0 Comments May 16, 2024

Crooks are taking advantage of vulnerabilities in OpenMetadata that are a month old in Kubernetes environments to mine cryptocurrency using victims’ resources, as reported by Microsoft.

OpenMetadata is a collection of open-source tools designed for managing and collaborating on substantial amounts of data, enabling functions such as search, data security, and data import/export.

In March, the developers of the project revealed and addressed five security vulnerabilities affecting versions before 1.3.1. These vulnerabilities could be exploited to bypass authentication and achieve remote code execution (RCE) within OpenMetadata deployments.

Since the beginning of April, cybercriminals have been leveraging these vulnerabilities in unpatched installations exposed to the internet. Microsoft’s threat intelligence team highlighted these security risks, noting that Microsoft itself has faced significant security challenges.

The vulnerabilities in OpenMetadata include:

  • CVE-2024-28255: A critical flaw in authentication, scoring 9.8 out of 10 on the CVSS severity scale. It enables attackers to bypass authentication mechanisms and access any endpoint.
  • CVE-2024-28847: A high-severity code-injection vulnerability rated at 8.8, leading to RCE.
  • CVE-2024-28253: A critical code-injection flaw allowing RCE, with a CVSS score of 9.4.
  • CVE-2024-28848: Another code-injection vulnerability rated at 8.8, enabling RCE.
  • CVE-2024-28254: An OS command injection vulnerability with an 8.8 CVSS rating, facilitating remote code execution.

To infiltrate systems, attackers scan for Kubernetes-based OpenMetadata deployments accessible via the internet. Once they identify vulnerable systems, they exploit the unpatched CVEs to gain entry to the container. Subsequently, they execute commands to gather information about the network, hardware configuration, operating system version, and active users within the victim’s environment.

In a separate development, Microsoft has observed increased efforts from Russia and China to interfere with the upcoming US presidential election. Russian actors have intensified campaigns aimed at undermining US support for Ukraine, with over 70 Russian-affiliated groups involved in influence operations. On the other hand, China employs a multi-faceted approach to destabilize targeted nations by exploiting public polarization and eroding trust in democratic systems.

Microsoft advises exercising caution online, especially with the rise of generative AI technology used to fabricate convincing multimedia content. The attackers download crypto-mining malware from a remote server in China and may appeal to victims with personal stories to solicit Monero crypto-coins (XMR).

Following the deployment of mining malware, the attackers establish a reverse shell connection using Netcat to maintain remote access to the container. They also set up cronjobs for scheduling, enabling them to run the malware at specified intervals.

Administrators utilizing OpenMetadata workloads in their clusters are advised to keep their images updated. For instances where OpenMetadata is exposed to the internet, strong authentication measures should be implemented, and default credentials should be avoided.