Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads for cryptocurrency mining operations.
This is according to the Microsoft Threat Intelligence team, which says the flaw has been weaponized since early April 2024.
OpenMetadata is an open source platform that acts as a metadata management tool, providing an integrated solution for data asset discovery, observability, and governance.
The flaws in question were all discovered and credited to security researcher Alvaro Muñoz and are listed below.
- CVE-2024-28847 (CVSS score: 8.8) – Spring Expression Language (SpEL) injection vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4)
- CVE-2024-28848 (CVSS score: 8.8) – GET /api/v1/policies/validation/condition/
SpEL injection vulnerability in (fixed in version 1.2.4) - CVE-2024-28253 (CVSS score: 8.8) – SpEL injection vulnerability in PUT /api/v1/policies (fixed in version 1.3.1)
- CVE-2024-28254 (CVSS score: 8.8) – GET /api/v1/events/subscriptions/validation/condition/
SpEL injection vulnerability in (fixed in version 1.2.4) - CVE-2024-28255 (CVSS score: 9.8) – Authentication bypass vulnerability (fixed in version 1.2.4)
Successful exploitation of this vulnerability could allow an attacker to bypass authentication and potentially execute remote code.
The method disclosed by Microsoft targets unpatched OpenMetadata workloads exposed to the internet and executes code on containers running OpenMetadata images.
Once attackers gain an initial foothold, they conduct reconnaissance to determine their level of access to the compromised environment and gather details about network and hardware configurations, operating system versions, number of active users, and environment variables. observed performing activities. .
“This reconnaissance step often involves contacting publicly available services,” said security researchers Hagai Lan Kestenberg and Yossi Weitzman.
“In this particular attack, the attacker sends a ping request to a domain ending in oast.[.]me and aust[.]pro is associated with Interactsh, an open source tool for detecting out-of-band interactions. ”
Doing so allows attackers to establish command-and-control (C2) communications with confidence by verifying network connections from compromised systems to attacker-controlled infrastructure without raising any red flags. The idea is to be able to deploy additional payloads.
The ultimate goal of the attack is to retrieve and deploy a Windows or Linux cryptocurrency mining malware variant from a remote server located in China, depending on the operating system.
Once the miner is launched, the initial payload is removed from the workload and the attacker uses the Netcat tool to start a reverse shell on the remote server, allowing them to take over the system. Persistence is achieved by configuring a cron job to run malicious code at predefined intervals.
Interestingly, the attacker also left a personal note stating that they were poor and needed money to buy a car and a suite. “I don't want to do anything illegal,” the memo said.
We recommend that OpenMetadata users switch to strong authentication methods, avoid using default credentials, and update their images to the latest version.
“This attack serves as a valuable reminder of why it is important to maintain compliance and run fully patched workloads in containerized environments,” the researchers wrote. Stated.
This development comes as publicly accessible Redis servers with disabled authentication or unpatched flaws are being targeted for post-exploit installation of Metasploit Meterpreter payloads. I got it.
“Once Metasploit is installed, threat actors can take control of the infected system and take control of an organization's internal network by leveraging the various capabilities provided by the malware,” according to the AhnLab Security Intelligence Center (ASEC). Stated.
This also follows a report from WithSecure detailing how Docker directory search permissions can be abused to achieve privilege escalation. It is worth pointing out that this issue (CVE-2021-41091, CVSS score: 6.3) was previously reported by CyberArk in February 2022 and addressed by Docker in version 20.10.9.
“Setting the searchable bit for other users on /var/lib/docker/ and child directories could allow a low-privileged attacker to access the filesystem of various containers.” WithSecure said.
