Microsoft Threat Intelligence team has revealed that threat actors are exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads for cryptocurrency mining.
These vulnerabilities, discovered by security researcher Alvaro Muñoz, include:
- CVE-2024-28847 – SpEL injection vulnerability in PUT /api/v1/events/subscriptions
- CVE-2024-28848 – SpEL injection vulnerability in GET /api/v1/policies/validation/condition/<expr>
- CVE-2024-28253 – SpEL injection vulnerability in PUT /api/v1/policies
- CVE-2024-28254 – SpEL injection vulnerability in GET /api/v1/events/subscriptions/validation/condition/<expr>
- CVE-2024-28255 – Authentication bypass vulnerability
Exploiting these vulnerabilities could lead to authentication bypass and remote code execution. Users are advised to update to the latest version and use strong authentication methods.
Threat actors target unpatched OpenMetadata workloads to gain code execution and carry out reconnaissance activities to gather information about the compromised environment.
They establish command-and-control communications and deploy crypto-mining malware, aiming to achieve persistence through setting cron jobs and remote shell access.
The attackers leave a note claiming financial need and request support for buying a car and suite. It’s essential to maintain fully patched workloads in containerized environments to mitigate such attacks.
Publicly accessible Redis servers and Docker directories have also been targeted for post-exploitation activities, highlighting the importance of maintaining security measures to prevent unauthorized access.
It’s crucial to address vulnerabilities promptly and stay informed about potential security risks to protect against malicious activities in the digital landscape.
Stay safe and secure your digital assets!
