In an ongoing campaign targeting Kubernetes, hackers are exploiting critical vulnerabilities within OpenMetadata, a metadata management platform. These attackers leverage remote code execution and authentication flaws to compromise OpenMetadata workloads, leading to crypto mining activities. Despite patches released in March for identified vulnerabilities, the attackers have been actively exploiting these weaknesses since early April. Microsoft, who initially detected the attacks, highlights the sophisticated tactics employed by the hackers, including the use of a remote server located in China to deploy cryptomining-related malware.
The security vulnerabilities exploited by the attackers, such as CVE-2024-28255 and CVE-2024-28254, pose significant risks to organizations relying on OpenMetadata for data cataloging and discovery. Once a vulnerable version of the application is identified, hackers swiftly exploit these weaknesses to gain unauthorized access to containers running the OpenMetadata image. Subsequently, they download cryptomining-related malware from a remote server, establishing a foothold in the compromised systems.
Additionally, the attackers leave a note on the breached servers, urging victims to donate Monero cryptocurrency purportedly to fund personal expenses in China. Following the initial compromise, hackers further entrench themselves by establishing reverse shell connections using tools like Netcat, granting them remote access to the compromised containers. To ensure persistent access, the attackers employ cronjobs to schedule malicious tasks, underscoring the importance for administrators to maintain vigilance, update applications, and secure credentials to mitigate such threats effectively.
Admins overseeing OpenMetadata workloads exposed online are strongly advised to implement measures to prevent unauthorized access. This includes promptly applying patches for known vulnerabilities, changing default credentials, and monitoring for any suspicious activities that could indicate a breach. By proactively addressing these security concerns, organizations can better safeguard their data assets and infrastructure from malicious exploitation.
