Hackers Exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters

Attackers are exploiting critical vulnerabilities (CVE-2024-28255, CVE-2024-28847, etc.) in OpenMetadata versions before 1.3.1 to gain unauthorized access and remotely execute code on Kubernetes workloads for cryptomining. 

The vulnerabilities allow attackers to bypass authentication on OpenMetadata deployments in Kubernetes environments and it has been recommended to patch OpenMetadata to version 1.3.1 or later and use security solutions like Defender for Cloud to detect such malicious activity.  

Attackers target internet-exposed Kubernetes workloads running OpenMetadata and by exploiting vulnerabilities, they achieve code execution on the vulnerable container. 

To confirm their foothold and assess control, they send ping requests to pre-defined OAST domains (out-of-band communication channels), resolving attacker infrastructure without generating red flags. 

Following successful exploitation, attackers gather victim environment details through reconnaissance commands, including network configuration, OS version, and active users. 

Additional cryptomining-related malware in the attacker’s server

Attackers exploit OpenMetadata’s environment variables to steal credentials and enable lateral movement.

After gaining access, cryptomining malware is downloaded from a remote server in China and executed. 

The attackers then establish persistence via cronjobs and cover their tracks by removing initial payloads.

To gain full control, a reverse shell connection is initiated using Netcat, which allows attackers to remotely access the container and mine cryptocurrency using the victim’s resources. 

 Note from attacker

To ensure the cluster’s security with OpenMetadata, verify the image version using Kubectl.

Run the command `kubectl get pods –all-namespaces -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{“\n”}{end}’ | grep ‘openmetadata’` to list all container images. 

If an OpenMetadata image is identified, update it to the latest version to mitigate potential vulnerabilities, and remember to implement strong authentication and avoid default credentials if OpenMetadata exposure to the internet is necessary. 

An analysis by Microsoft of potential indicators of compromise (IoCs) revealed malicious activity on a system by identifying three unique executable files with SHA-256 hashes: 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df, 19a63bd5d18f955c0de550f072534aa7a6a6cc6b78a24fea4cc6ce23011ea01d, and 31cd1651752eae014c7ceaaf107f0bf8323b682ff5b24c683a683fdac7525bad. 

They also uncovered connections to three IP addresses potentially associated with the malicious activity: 8.222.144.60, 61.160.194.160, and 8.130.115.208, while further forensic analysis is recommended to determine the scope of the compromise and implement appropriate mitigation strategies. 

Attackers are exploiting critical vulnerabilities (CVE-2024-28255, CVE-2024-28847, etc.) in OpenMetadata versions before 1.3.1 to gain unauthorized access and remotely execute code on Kubernetes workloads for cryptomining. 

The vulnerabilities allow attackers to bypass authentication on OpenMetadata deployments in Kubernetes environments and it has been recommended to patch OpenMetadata to version 1.3.1 or later and use security solutions like Defender for Cloud to detect such malicious activity.  

Attackers target internet-exposed Kubernetes workloads running OpenMetadata and by exploiting vulnerabilities, they achieve code execution on the vulnerable container. 

To confirm their foothold and assess control, they send ping requests to pre-defined OAST domains (out-of-band communication channels), resolving attacker infrastructure without generating red flags. 

Following successful exploitation, attackers gather victim environment details through reconnaissance commands, including network configuration, OS version, and active users. 

Additional cryptomining-related malware in the attacker’s server

Attackers exploit OpenMetadata’s environment variables to steal credentials and enable lateral movement.

After gaining access, cryptomining malware is downloaded from a remote server in China and executed. 

The attackers then establish persistence via cronjobs and cover their tracks by removing initial payloads.

To gain full control, a reverse shell connection is initiated using Netcat, which allows attackers to remotely access the container and mine cryptocurrency using the victim’s resources. 

 Note from attacker

To ensure the cluster’s security with OpenMetadata, verify the image version using Kubectl.

Run the command `kubectl get pods –all-namespaces -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{“\n”}{end}’ | grep ‘openmetadata’` to list all container images. 

If an OpenMetadata image is identified, update it to the latest version to mitigate potential vulnerabilities, and remember to implement strong authentication and avoid default credentials if OpenMetadata exposure to the internet is necessary. 

An analysis by Microsoft of potential indicators of compromise (IoCs) revealed malicious activity on a system by identifying three unique executable files with SHA-256 hashes: 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df, 19a63bd5d18f955c0de550f072534aa7a6a6cc6b78a24fea4cc6ce23011ea01d, and 31cd1651752eae014c7ceaaf107f0bf8323b682ff5b24c683a683fdac7525bad. 

They also uncovered connections to three IP addresses potentially associated with the malicious activity: 8.222.144.60, 61.160.194.160, and 8.130.115.208, while further forensic analysis is recommended to determine the scope of the compromise and implement appropriate mitigation strategies. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here