Home / News / Technology / Crypto Miners Hijack Kubernetes Using OpenMetadata Vulnerabilities, Microsoft Warns As Tech Giant Faces Own Threats
4 min read

Crypto Miners Hijack Kubernetes Using OpenMetadata Vulnerabilities, Microsoft Warns As Tech Giant Faces Own Threats

Last Updated April 23, 2024 10:31 AM
Samantha Dunn
Last Updated April 23, 2024 10:31 AM

Key Takeaways

  • OpenMetadata has become a cyberattack target due to several critical vulnerabilities.
  • These flaws, active since April 2024, allowed attackers to bypass security protocols and execute malicious code remotely.
  • Microsoft, responsible for uncovering the attack, has fielded cyberattacks from state-sponsored hackers.

Microsoft’s Threat Intelligence team has alerted  the tech community to a series of attacks where cybercriminals are exploiting vulnerabilities in OpenMetadata to hijack Kubernetes containers for cryptocurrency mining.

The platform, which facilitates data asset discovery, observability, and governance, has been compromised due to flaws in its system, making Kubernetes workloads vulnerable to unauthorized access and misuse.

Increasing Vulnerability in Tech Infrastructure

OpenMetadata, an open-source metadata management platform, has been identified as having multiple security vulnerabilities that have been actively exploited since early April 2024.

The vulnerabilities identified by Microsoft include several injection vulnerabilities and could allow attackers to bypass authentication controls and perform remote code execution on affected systems.

Microsoft’s report details how attackers target internet-exposed OpenMetadata instances that remain unpatched. Upon gaining access, attackers perform extensive reconnaissance to assess their level of access and gather valuable information about the network and hardware configurations, as well as the operating system specifics and environment variables.

The Attack Process

The initial intrusion typically involves the use of ping requests to domains ending in oast[.]me and oast[.]pro, which are linked to Interactsh, an open-source tool used for detecting out-of-band interactions. This step is crucial for the attackers to confirm network connectivity without triggering security alerts, setting the stage for further malicious activities.

Following a successful survey, the attackers establish command-and-control communications and proceeded to deploy cryptocurrency mining malware from a remote server based in China. This malware is tailored to the specific operating systems of the compromised containers, either Windows or Linux.

In a bizarre disclosure, the attackers left behind a personal note in the attacked systems, stating their financial distress and their reluctance to engage in illegal activities, in what appears to be an attempt to justify their actions.

To mitigate these threats, Microsoft advises OpenMetadata users to adopt robust authentication methods, avoid default credentials, and ensure their systems are updated to the latest versions.

Addressing Security Concerns: OpenMetadata’s Response

OpenMetadata shared an update with CCN stating that the vulnerability detailed by Microsoft was previously disclosed:

The OpenMetadata community takes the security and trust of the open-source project seriously. We also get the help of security researchers on publicly available code to find vulnerabilities and address them quickly. CVE-2024-XXXX is a security vulnerability that was previously disclosed on Dec 14 and subsequently patched on Jan 5.

OpenMetadata has openly documented this process and its security measures in a detailed blog post .

Microsoft Fields Security Threats from Midnight Blizzard

This recent string of cybersecurity attacks has also touched Microsoft who were forced to admit a government breach exposed government emails in the US. CISA confirmed that communications between Microsoft and several civilian government agencies were breached.

State-sponsored hackers, known as Midnight Blizzard, used a password spray attack to exploit Microsoft’s internal systems.

The recent Kubernetes incident is part of a broader trend of cybercriminals targeting both public and privately secured servers. Similar vulnerabilities have been exploited in other inadequately secured platforms like Redis and Docker, emphasizing the widespread nature of such cybersecurity challenges.

The rise in the frequency of these attacks serves as a reminder of the difficulty of maintaining security practices in even the most sophisticated platforms. As digital infrastructure continues to evolve, so does the landscape of cybersecurity threats targeting public-facing servers and poorly secured infrastructures.

Was this Article helpful? Yes No