Unpatched vulnerabilities in OpenMetadata, a popular data organization tool, are being exploited by attackers to deploy cryptojacking malware within Kubernetes environments.
Microsoft security researchers first identified the campaign in early April. The attackers are targeting critical remote code execution (RCE) and authentication flaws (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) that were patched in OpenMetadata versions 1.2.4 and 1.3.1 on March 15th.
These vulnerabilities allow attackers to gain unauthorized access to OpenMetadata deployments running on Kubernetes, a container orchestration platform. Once inside, they can download and execute cryptomining malware onto the compromised systems. Cryptomining malware leverages a system's processing power to generate cryptocurrency for the attacker. This can lead to a significant slow down of infected machines and increased energy consumption.
According to Hagai Ran Kestenberg and Yossi Weizman, security researchers at Microsoft, attackers appear to be focusing on internet-facing OpenMetadata instances. After exploiting a vulnerability, they confirm access and establish a connection before downloading the cryptomining payload from a remote server, most likely located in China.
Organizations utilizing OpenMetadata within Kubernetes environments are urged to update to the latest patched versions (1.2.4 or 1.3.1) immediately to mitigate the risk of this attack. Additionally, implementing strong authentication practices and refraining from exposing non-essential services to the internet can significantly reduce the attack surface.
Security experts recommend that organizations also consider security scanning solutions designed to detect vulnerabilities within containerized applications.
The rise of cryptojacking malware within cloud environments continues to be a pressing concern. This recent attack is a stark reminder of the importance of maintaining up-to-date software and adhering to security best practices.