Threat Research

OpenMetadata Vulnerabilities Allow Attackers to Cryptomine in Kubernetes Environments

admin

Microsoft reported that critical vulnerabilities in OpenMetadata (affecting versions before 1.3.1) are being exploited to gain code execution in internet-exposed Kubernetes workloads and deploy cryptomining malware. Attackers leveraged JWT/SpEL-related flaws and poor authorization to execute payloads, validate access via OAST domains, and establish persistence for ongoing mining. #OpenMetadata #CVE-2024-28255

Keypoints

  • Five CVEs (including CVE-2024-28255 and CVE-2024-28253) affect OpenMetadata versions prior to 1.3.1 and can allow authentication bypass and remote code execution.
  • CVE-2024-28255 involves JWT token validation issues in JwtFilter enabling path-parameter manipulation and possible SpEL injection; CVE-2024-28253 abuses PolicyRepository.prepare via PUT /api/v1/policies to trigger SpEL evaluation.
  • Attackers target internet-exposed OpenMetadata Kubernetes workloads to gain code execution in the container image and then perform environment reconnaissance and credential harvesting (env vars, connection strings).
  • Initial validation of compromise uses out-of-band interaction domains (oast[.]me, oast[.]pro) tied to Interactsh to confirm access before payload delivery.
  • Malicious activity observed includes downloading cryptomining binaries (XMR miner), reverse shells via Netcat, and persistence via cronjobs; additional Linux and Windows malware were hosted on the attacker server.
  • Detection and remediation steps: enumerate cluster images (kubectl command provided), update OpenMetadata images to version 1.3.1 or newer, and avoid exposing instances without strong authentication.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Attackers “exploit the vulnerabilities to gain code execution on the container hosting the vulnerable OpenMetadata image.”
  • [T1553.002] Subvert Trust Controls: JWT – CVE-2024-28255 stems from “JWT token validation deficiencies in JwtFilter, allowing attackers to manipulate path parameters, evade authentication, and potentially inject arbitrary SpEL expressions.”
  • [T1203] Exploitation for Client Execution – Vulnerability in PolicyRepository.prepare leads to RCE when attackers send a PUT request to “/api/v1/policies,” causing “SpEL expression evaluation.”
  • [T1082] System Information Discovery – After access, attackers “execute reconnaissance commands to gather information on the victim’s environment, including network configuration, OS version, and active users.”
  • [T1552.001] Credentials in Files – Attackers “extract environment variables of the Kubernetes workload, potentially containing connection strings and credentials for lateral movement.”
  • [T1105] Ingress Tool Transfer – Actors “download a cryptomining malware for mining XMR from a remote server, which is then executed with elevated permissions.”
  • [T1071] Application Layer Protocol – Operators establish remote access “reverse shell connection to their remote server using the Netcat tool for remote access.”
  • [T1053.005] Scheduled Task/Job: Cron – Persistence is achieved by “scheduling tasks using cronjobs, ensuring the execution of malicious code at specific intervals.”
  • [T1592] Gather Victim Host Information (use of OAST) – Attackers validate exploitation and network connectivity by contacting domains ending with “oast[.]me and oast[.]pro” associated with Interactsh to confirm out-of-band interactions.

Indicators of Compromise

  • [IP Address] attacker infrastructure – 8[.]222[.]144[.]60, 61[.]160[.]194[.]160, and other 1 item
  • [SHA-256 hash] payloads hosted on attacker server – 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df, 19a63bd5d18f955c0de550f072534aa7a6a6cc6b78a24fea4cc6ce23011ea01d, and other 1 item
  • [Domain] out-of-band validation domains – oast[.]me, oast[.]pro (used with Interactsh to confirm exploitation)
  • [Image version/Artifact] vulnerable OpenMetadata images – versions preceding 1.3.1 (upgrade to 1.3.1 or newer)

Attackers exploited multiple vulnerabilities in OpenMetadata (notably CVE-2024-28255 and CVE-2024-28253) to achieve remote code execution on internet-exposed Kubernetes workloads. CVE-2024-28255 abuses weak JWT token validation in JwtFilter to manipulate path parameters and enable SpEL expression injection, while CVE-2024-28253 leverages missing authorization checks in PolicyRepository.prepare via a PUT /api/v1/policies request to trigger SpEL evaluation and execute code in the container.

Following exploitation, operators performed reconnaissance (collecting network configuration, OS version, active users, and environment variables that may contain credentials), validated access using out-of-band Interactsh domains (oast[.]me / oast[.]pro), and downloaded a cryptominer (XMR) and additional malware from a remote server. They established a reverse shell with Netcat for remote control and implemented persistence by creating cronjobs to ensure repeated execution of malicious binaries.

Detection and mitigation steps: enumerate pod images across all namespaces and search for openmetadata images (kubectl get pods –all-namespaces -o=jsonpath='{range.items[*]}{.spec.containers[*].image}{“n”}{end}’ | grep ‘openmetadata’), update any vulnerable images to OpenMetadata version 1.3.1 or newer, avoid exposing instances without strong authentication, and hunt for the listed IPs, hashes, and OAST domain callbacks to identify compromises.

Read more: https://socradar.io/openmetadata-attackers-cryptomine-in-kubernetes

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint