Hackers Exploit OpenMetadata Apps in Kubernetes for Cryptomining

Cyber Attack

In a persistent cryptomining campaign targeting Kubernetes environments, threat actors are leveraging critical vulnerabilities within OpenMetadata workloads to execute remote code and bypass authentication.

OpenMetadata, an open-source metadata management platform, is utilized by data engineers and scientists for cataloguing and discovering data assets within organizational ecosystems.

The campaign exploits several security vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) identified and reported on December 14 by GitHub Security Lab's Alvaro Muñoz. These vulnerabilities were subsequently patched on January 5 with the release of OpenMetadata versions 1.2.4 and later. Sriharsha Chintalapani, Collate CTO and OpenMetadata project maintainer warns that these flaws enable unauthorized users to inject malicious payloads and potentially escalate privileges.

Microsoft, which detected the attacks, disclosed that threat actors have actively exploited these vulnerabilities since early April to compromise unpatched OpenMetadata instances exposed on the internet.

Attackers target vulnerable OpenMetadata versions to gain code execution on the container hosting the application. After confirming access, they download cryptomining-related malware from a remote server, often based in China, which also hosts additional cryptomining threats for Linux and Windows platforms.

Following the initial compromise, attackers establish a reverse shell connection using Netcat to maintain remote access and control over the container. They deploy cronjobs to schedule malicious tasks at regular intervals, ensuring persistent access.

In some instances, attackers leave messages on compromised systems soliciting Monero cryptocurrency donations for personal acquisitions in China.

To mitigate risks associated with exposing OpenMetadata workloads online, administrators are advised to change default credentials and regularly patch applications against known vulnerabilities. Monitoring Kubernetes environments for OpenMetadata workloads is recommended to detect unauthorized activities promptly.

This campaign underscores the importance of maintaining secure, up-to-date containerized environments to defend against evolving threats like cryptomining attacks. According to Microsoft researchers Hagai Ran Kestenberg and Yossi Weizman, adhering to security best practices and timely patching is essential for maintaining compliance and safeguarding Kubernetes deployments.