Cybercriminals are exploiting several critical OpenMetadata vulnerabilities to gain access to Kubernetes environments and deploy cryptocurrency mining malware, Microsoft warned this week.
OpenMetadata is an open source metadata store that can be used for data discovery, cataloging and collaboration.
On March 15, OpenMetadata users were informed about the existence of five vulnerabilities, including a critical flaw allowing authentication bypass, and four high-severity issues that can be exploited for remote code execution. The identifiers CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848 and CVE-2024-28254 have been assigned to these vulnerabilities.
According to Microsoft, threat actors started exploiting these vulnerabilities in early April. They first identify internet-exposed Kubernetes workloads of OpenMetadata, and then exploit the vulnerabilities to achieve code execution on the container running the OpenMetadata image.
The attackers initially run reconnaissance commands to collect information about the compromised environment. They then download a cryptomining-related malware from a remote server.
“We observed the attackers using a remote server located in China,” Microsoft said. “The attacker’s server hosts additional cryptomining-related malware that are stored, for both Linux and Windows OS.”
The malicious hackers also initiate a reverse shell connection that they can use to remotely access the container. This enables them to conduct hands-on-keyboard activities and gain greater control over the targeted system.
Microsoft has provided instructions on how users can check if their cluster is vulnerable to such attacks. The company has advised users to update OpenMetadata to version 1.3.1 or later.
Related: Vulnerabilities in Google Kubernetes Engine Could Allow Cluster Takeover
Related: Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers
Related: Kubernetes Vulnerability Allows Remote Code Execution on Windows Endpoints
Source: securityweek.com