Cloud Security , Cryptocurrency Fraud , Fraud Management & Cybercrime
Possible Chinese Hackers Use OpenMetadata to Cryptomine
Hackers Target OpenMetadata Platforms Running on Cloud Kubernetes EnvironmentsHackers who appear to be Chinese are exploiting vulnerabilities in the OpenMetadata platform running as workloads on Kubernetes clusters to download cryptomining software, warns Microsoft.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The computing giant in a Wednesday blog post said a clutch of chained vulnerabilities allow attackers to bypass authentication and achieve remote code execution. The OpenMetadata platform aims to unify metadata culled from multiple sources onto a centralized platform. Microsoft said that at the beginning of this month it began to observe exploitation of OpenMetadata vulnerabilities in Kubernetes environments.
Identified as CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254, the flaws affect versions before 1.3.1.
The attack appears to culminate with hackers downloading cryptomining-related software onto Kubernetes environments from a remote server located in China. The attackers also leave a note for victims, urging them not to remove the malware. "Hi man. I've seen several organizations report my Trojan recently, Please let me go," says the note. "I want to buy a car. That's all." It also pleads with victims: "My family is very poor. In China, it's hard to buy a suite." The note includes a cryptocurrency wallet address for donations made with the monero privacy-oriented digital currency.
The attack begins with attacks likely identifying and targeting Kubernetes workloads of OpenMetadata exposed to the internet, Microsoft said. After exploiting the vulnerabilities to gain a foothold, the first thing attackers do is validate and assess, sending ping requests to domains oast.me
and oast.pro
. These sites are meant for security teams to detect the presence of exploitable vulnerabilities in a web application, but attackers can use them to determine network connectivity "without generating suspicious outbound traffic that might trigger security alerts," Microsoft said.
The reconnaissance phase involves looking for environmental variables, including credentials for services used for OpenMetadata, "which could lead to lateral movement to additional resources."
At this point, the hackers download the malware. They also initiate a reverse shell connection to their server and schedule the cryptomining software so it runs in the background at predetermined intervals.
"Administrators who run OpenMetadata workload in their cluster need to make sure that the image is up to date. If OpenMetadata should be exposed to the internet, make sure you use strong authentication and avoid using the default credentials," Microsoft said.