Article Details
Scrape Timestamp (UTC): 2024-04-17 21:02:15.174
Original Article Text
Click to Toggle View
Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks. In an ongoing Kubernetes cryptomining campaign, attackers target OpenMetadata workloads using critical remote code execution and authentication vulnerabilities. OpenMetadata is an open-source metadata management platform that helps data engineers and scientists to catalog and discover data assets within their organization, including databases, tables, files, and services. The security vulnerabilities exploited in these attacks (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) were patched one month ago, on March 15, in OpenMedata versions 1.2.4 and 1.3.1. Microsoft, which first spotted the attacks, says the five flaws have been actively exploited since early April to hijack Internet-exposed OpenMedata workloads left unpatched. "Once they identify a vulnerable version of the application, the attackers exploit the mentioned vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image," Microsoft threat intel researchers Hagai Ran Kestenberg and Yossi Weizman said. "Once the attackers confirm their access and validate connectivity, they proceed to download the payload, a cryptomining-related malware, from a remote server. We observed the attackers using a remote server located in China." The server hosting the malware payloads also contains additional cryptomining malware for both Linux and Windows platforms. The attackers will also leave a note on compromised systems, asking the victims to donate Monero cryptocurrency to help them buy a car or a "suite" in China. In the next stage, they remove the initial payloads from the hijacked Kubernetes app and establish a reverse shell connection using the Netcat tool. This grants them remote access to the container, allowing them to take control of the system. Moreover, to maintain persistent access, the attackers use cronjobs to schedule tasks executing malicious code at predetermined intervals. Admins who have to expose their OpenMedata workloads online are advised to change the default credentials and ensure that their apps are patched against recently disclosed vulnerabilities at all times. To get a list of all OpenMetadata workloads running in your Kubernetes environment, you can use the following command: "This attack serves as a valuable reminder of why it's crucial to stay compliant and run fully patched workloads in containerized environments," Kestenberg and Weizman concluded.
Daily Brief Summary
Attackers exploit critical vulnerabilities in OpenMetadata workloads within Kubernetes environments, targeting unpatched systems for cryptomining.
Microsoft identified the campaign, noting that the breaches began in early April using previously patched security flaws CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254.
Once access is established, attackers download cryptomining malware from a server based in China, then use tools like Netcat for remote management, establishing a persistent threat within compromised systems.
Affected systems were manipulated to run cronjobs, which facilitate scheduled execution of malicious tasks ensuring persistence of the malware.
The attackers also request donations in Monero cryptocurrency, claiming they need funds to purchase a car or suite in China.
Microsoft and other security experts urge users to patch affected OpenMetadata workloads and change default credentials to mitigate risks.
This incident underscores the importance of regular updates and stringent security practices in managing containerized software environments.