April 17, 2024 at 05:07PM
Attackers are actively targeting Kubernetes OpenMetadata workloads by exploiting multiple security vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254), which were patched on March 15 in OpenMetadata versions 1.2.4 and 1.3.1. Microsoft reports that the attackers download cryptomining-related malware from a remote server, gaining remote access and establishing persistent control. Admins are advised to change default credentials and ensure timely patching.
From the provided meeting notes, here are the key takeaways:
1. Attackers are targeting OpenMetadata workloads in an ongoing Kubernetes cryptomining campaign, using critical remote code execution and authentication vulnerabilities.
2. The security vulnerabilities exploited in these attacks (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) were patched on March 15, in OpenMetadata versions 1.2.4 and 1.3.1.
3. Microsoft first spotted the attacks and has confirmed that the attackers have been actively exploiting the vulnerabilities since early April to hijack unpatched OpenMetadata workloads.
4. Attackers are exploiting the vulnerabilities to gain code execution on the container running the vulnerable OpenMetadata image and then downloading a cryptomining-related malware payload from a remote server located in China.
5. The server hosting the malware payloads also contains additional cryptomining malware for both Linux and Windows platforms.
6. The attackers are leaving a note on compromised systems, asking victims to donate Monero cryptocurrency to help them buy a car or a “suite” in China.
7. After initial payloads are removed, the attackers establish a reverse shell connection using the Netcat tool to gain remote access to the container.
8. To maintain persistent access, the attackers are using cronjobs to schedule tasks executing malicious code at predetermined intervals.
9. Admins are advised to change default credentials and ensure all apps are patched against vulnerabilities. They are also recommended to run fully patched workloads in containerized environments.
10. A command is provided to get a list of all OpenMetadata workloads running in a Kubernetes environment.
These takeaways should help in understanding the nature of the attacks and the recommended actions to mitigate the risks associated with the vulnerabilities.