April 18, 2024 at 02:15AM
Microsoft Threat Intelligence team has observed threat actors exploiting vulnerabilities in the OpenMetadata platform to access Kubernetes workloads for cryptocurrency mining. These flaws, discovered by Alvaro Muñoz, enable authentication bypass and code execution. Threat actors conduct reconnaissance activities, establish command-and-control communications, and deploy crypto-mining malware. Users are urged to update images and implement strong authentication methods.
Key Takeaways from the Meeting Notes:
1. **Security Threats**: Vulnerabilities in OpenMetadata are being exploited by threat actors for cryptocurrency mining. These vulnerabilities include SpEL injection and authentication bypass, which can lead to remote code execution.
2. **Attack Modus Operandi**: Threat actors target unpatched OpenMetadata workloads, gaining code execution on the container running the OpenMetadata image. They then carry out reconnaissance activities to determine access level and gather network and hardware configuration details, using publicly available services to validate network connectivity without raising red flags.
3. **Payload Deployment**: After gaining access, threat actors deploy crypto-mining malware from a remote server located in China, remove initial payloads, and establish a reverse shell for remote commandeering. They achieve persistence by setting cron jobs to run the malicious code at predefined intervals.
4. **Recommended Actions**: OpenMetadata users are advised to switch to strong authentication methods, avoid default credentials, and update their images to the latest version to stay compliant and run fully patched workloads in containerized environments.
5. **Related Threat Trends**: The meeting notes also highlight the targeting of publicly accessible Redis servers and the abuse of search permissions on Docker directories for privilege escalation, reinforcing the need for continuous vigilance and compliance to mitigate security risks.
For further details and exclusive content, you can follow us on Twitter and LinkedIn.