Microsoft finds Kubernetes clusters targeted by OpenMetadata exploits

A cryptominer campaign leveraged five vulnerabilities in OpenMetadata to infect environments.

Kubernetes environments have come under attack in a campaign exploiting vulnerabilities in OpenMetadata, Microsoft revealed Wednesday.

The Microsoft Threat Intelligence report described how attackers leveraged five recently disclosed bugs in the open-source metadata management platform to deploy cryptominers on Kubernetes clusters since the beginning of April.

OpenMetadata enables metadata to be managed across different data sources in a central repository for metadata lineage; compromising the OpenMetadata workload can lead to lateral movement due to its connections to other services on the cluster.

Five OpenMetadata vulnerabilities, including a critical improper authentication flaw and a critical code injection bug, were used in the campaign to gain initial access and achieve remote code execution (RCE) on the workloads. The vulnerabilities, which were first disclosed on March 15, are tracked as CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848 and CVE-2024-28254.

The vulnerabilities affect OpenMetadata versions prior to 1.3.1, and administrators who run an OpenMetadata workload on their Kubernetes cluster should ensure the image is up-to-date. Administrators should also use strong authentication measures and replace default credentials if the platform is exposed to the internet, Microsoft said.

Attacker performs reconnaissance before dropping cryptomining malware

Microsoft researchers determined that the attackers involved in this campaign download a cryptomining-related malware payload from a remote server located in China, which also hosts additional cryptomining tools for Windows and Linux operating systems.

Prior to deploying the payload, the attacker sends ping requests to out-of-band application security testing (OAST) domains, likely to determine network connectivity between the compromised system and attacker infrastructure without creating outbound traffic that may be detected as suspicious.

The attackers also use a series of commands to perform reconnaissance on the victim’s environment, querying information such as network and hardware configurations, operating system version and active users. This reconnaissance also involves reading the environment variables of the OpenMetadata workload, which may contain credentials and connection strings that can be leveraged for lateral movement.

Once connectivity is validated and reconnaissance is complete, the cryptomining-related malware payload is retrieved from the remote server and its permissions are elevated to enable execution. The Netcat tool is used to establish a reverse shell connection to the command-and-control (C2) server to give the attacker better remote control over the compromised system and cron jobs are used to execute the malware at predetermined intervals in order to facilitate persistence.

In addition to the cryptominer, the attacker installs a personal note that implores the victim not to report the malware and allow them to resume cryptomining because their family is “very poor” and they “want to buy a car.” The note even includes a Monero cryptocurrency address to make donations to the attacker.

Microsoft’s blog includes indicators of compromise (IoCs) for the campaign and notes that Microsoft was alerted to the campaign due to the attacker triggering Microsoft Defender for Containers alerts. For example, attempting to initiate a reverse shell connection on a Kubernetes cluster will trigger a Microsoft Defender alert.