Crooks are exploiting month-old OpenMetadata vulnerabilities in Kubernetes environments to mine cryptocurrency using victims' resources, according to Microsoft.

OpenMetadata is a suite of open-source software for organizing and working on non-trivial amounts of information, making it possible to search, secure, and export and import data, among other things.

In March, the project's maintainers disclosed and fixed five security vulnerabilities that affected versions prior to 1.3.1, which could be abused to bypass authentication and gain remote code execution (RCE) within OpenMetadata deployments. 

Digital thieves have been exploiting the bugs in unpatched installations that are exposed to the internet since the beginning of April, according to a threat intelligence team at Microsoft, which itself is no stranger to horrific security bugs.

Those OpenMetadata vulnerabilities are:

• CVE-2024-28255, a critical improper authentication flaw that received a 9.8-out-of-10 CVSS severity rating. It can allow an attacker to bypass the authentication mechanism and reach any arbitrary endpoint.
• CVE-2024-28847, an 8.8-rated high-severity code-injection bug that can lead to RCE.
• CVE-2024-28253, a code-injection flaw that can allow RCE. This one is rated critical, and has a 9.4 CVSS score.
• CVE-2024-28848, another 8.8-rated code-injection flaw that can allow RCE.
• CVE-2024-28254, an OS command injection flaw that received an 8.8 CVSS rating and can open users up to remote code execution.

To gain access, the attackers scan for Kubernetes-based deployments of OpenMetadata that are exposed to the internet. After finding vulnerable systems, they exploit the unpatched CVEs to gain access to the container, and then run a series of commands to collect information on the network and hardware configuration, OS version, and active users, among other information about the victim's environment.

"As part of the reconnaissance phase, the attackers read the environment variables of the workload," Microsoft security boffins Hagai Ran Kestenberg and Yossi Weizman wrote.

In this case, "those variables may contain connection strings and credentials for various services used for OpenMetadata operation which could lead to lateral movement to additional resources."

The attackers then download crypto-mining malware from a remote server in China, and, in some cases, add a personal note to the victim:

There's no word from Redmond as to whether this sob story ever works, or ends with the victims happily transferring Monero crypto-coins (XMR) to the crooks. 

We do know, however, that after running the mining malware, the miscreants start a reverse shell connection using Netcat to maintain remote access to the container, and also install cronjobs for scheduling, which allows them to execute the malware at predetermined times.

"Administrators who run OpenMetadata workload in their cluster need to make sure that the image is up to date," the Redmond duo wrote. "If OpenMetadata should be exposed to the internet, make sure you use strong authentication and avoid using the default credentials." ®

https://www.theregister.com//2024/04/18/cryptojackers_openmetadata_kubernetes/