Attackers exploited five OpenMetadata vulnerabilities to gain remote code execution in internet-exposed Kubernetes workloads and deploy cryptomining malware. They used out-of-band interactions to reconnoiter, then downloaded and ran mining payloads, establishing persistence via cronjobs and a reverse shell with Netcat. #OpenMetadata #Interactsh #CVE-2024-28255 #CVE-2024-28253 #cryptomining #XMR #Netcat
Keypoints
- Five OpenMetadata vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) can lead to authentication bypass and Remote Code Execution in versions before 1.3.1.
- Attackers target OpenMetadata workloads exposed to the internet to achieve initial access and code execution inside the vulnerable container.
- Reconnaissance uses Interactsh (oast.me/oast.pro) to validate intrusion and establish out-of-band connectivity without arousing suspicion.
- Once access is confirmed, attackers retrieve cryptomining malware (XMR) from a remote server (noted as being in China) and execute it with elevated permissions.
- Persistence is achieved by cronjobs; they also establish a reverse shell via Netcat for ongoing remote access.
- Indicators of Compromise include specific IPs, domain names (oast.me, oast.pro), and several SHA-256 hashes associated with the活动.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers target OpenMetadata workloads exposed to the internet and exploit vulnerabilities to gain code execution on the container hosting the vulnerable image. [‘Attackers begin by targeting Kubernetes workloads of OpenMetadata that are exposed to the internet. Upon identifying a vulnerable version, they exploit the vulnerabilities to gain code execution on the container hosting the vulnerable OpenMetadata image.’]
- [T1053.005] Scheduled Task/Cron Jobs – Attackers establish persistence by scheduling tasks using cronjobs to ensure malicious code runs at intervals. [‘…establish persistence by scheduling tasks using cronjobs, ensuring the execution of malicious code at specific intervals.’]
- [T1105] Ingress Tool Transfer – Attackers download cryptomining malware from a remote server for mining XMR. [‘…download a cryptomining malware for mining XMR from a remote server…’]
- [T1059] Command and Scripting Interpreter – Attackers use Netcat to create a reverse shell for remote access. [‘Following the malware’s deployment, attackers initiate a reverse shell connection to their remote server using the Netcat tool for remote access.’]
- [T1082] System Information Discovery – Attackers gather information on OS version and environment. [‘…gather information on the victim’s environment, including network configuration, OS version, and active users.’]
- [T1016] System Network Configuration Discovery – Attackers collect network configuration details. [‘…gather information on the victim’s environment, including network configuration…’]
- [T1033] Account Discovery – Attackers identify active users on the victim system. [‘…including network configuration, OS version, and active users.’]
- [T1071] Application Layer Protocol – Attackers leverage Interactsh/OAST domains to validate exploitation via out-of-band interactions. [‘They utilize ping requests to domains ending with oast[.]me and oast[.]pro, associated with Interactsh—an open-source tool for detecting out-of-band interactions.’]
Indicators of Compromise
- [IP Addresses] 8.222.144.60, 61.160.194.160
- [Domains] oast.me, oast.pro
- [SHA-256 hashes] 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df, 19a63bd5d18f955c0de550f072534aa7a6a6cc6b78a24fea4cc6ce23011ea01d, 31cd1651752eae014c7ceaaf107f0bf8323b682ff5b24c683a683fdac7525bad
Read more: https://socradar.io/openmetadata-attackers-cryptomine-in-kubernetes/