Cloud Security , Cryptocurrency Fraud , Fraud Management & Cybercrime

Possible Chinese Hackers Use OpenMetadata to Cryptomine

Hackers Target OpenMetadata Platforms Running on Cloud Kubernetes Environments
Possible Chinese Hackers Use OpenMetadata to Cryptomine
Hackers who appear to be Chinese would rather use Kubernetes clusters running hacked OpenMetadata platforms to mine crypto than their own infrastructure. (Image: Shutterstock)

Hackers who appear to be Chinese are exploiting vulnerabilities in the OpenMetadata platform running as workloads on Kubernetes clusters to download cryptomining software, warns Microsoft.

See Also: New OnDemand | Protecting Your Workloads from Modern Threats with VMware Ransomware Recovery

The computing giant in a Wednesday blog post said a clutch of chained vulnerabilities allow attackers to bypass authentication and achieve remote code execution. The OpenMetadata platform aims to unify metadata culled from multiple sources onto a centralized platform. Microsoft said that at the beginning of this month it began to observe exploitation of OpenMetadata vulnerabilities in Kubernetes environments.

Identified as CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254, the flaws affect versions before 1.3.1.

The attack appears to culminate with hackers downloading cryptomining-related software onto Kubernetes environments from a remote server located in China. The attackers also leave a note for victims, urging them not to remove the malware. "Hi man. I've seen several organizations report my Trojan recently, Please let me go," says the note. "I want to buy a car. That's all." It also pleads with victims: "My family is very poor. In China, it's hard to buy a suite." The note includes a cryptocurrency wallet address for donations made with the monero privacy-oriented digital currency.

The attack begins with attacks likely identifying and targeting Kubernetes workloads of OpenMetadata exposed to the internet, Microsoft said. After exploiting the vulnerabilities to gain a foothold, the first thing attackers do is validate and assess, sending ping requests to domains oast.me and oast.pro. These sites are meant for security teams to detect the presence of exploitable vulnerabilities in a web application, but attackers can use them to determine network connectivity "without generating suspicious outbound traffic that might trigger security alerts," Microsoft said.

The reconnaissance phase involves looking for environmental variables, including credentials for services used for OpenMetadata, "which could lead to lateral movement to additional resources."

At this point, the hackers download the malware. They also initiate a reverse shell connection to their server and schedule the cryptomining software so it runs in the background at predetermined intervals.

"Administrators who run OpenMetadata workload in their cluster need to make sure that the image is up to date. If OpenMetadata should be exposed to the internet, make sure you use strong authentication and avoid using the default credentials," Microsoft said.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.