Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

'I want to buy a car. That's all'

Crooks are exploiting now-patched OpenMetadata vulnerabilities in Kubernetes environments to mine cryptocurrency using victims' resources, according to Microsoft.

OpenMetadata is a suite of open-source software for organizing and working on non-trivial amounts of information, making it possible to search, secure, and export and import data, among other things.

In March, the project's maintainers disclosed they had fixed five security vulnerabilities that affected versions prior to 1.3.1, which could be abused to bypass authentication and gain remote code execution (RCE) within OpenMetadata deployments. 

Digital thieves have been exploiting one or more of the flaws in unpatched OpenMetadata installations that are exposed to the internet since the beginning of April, according to a threat intelligence team at Microsoft, which itself is no stranger to horrific security bugs.

Those OpenMetadata vulnerabilities are:

  • CVE-2024-28255, a critical improper authentication flaw that received a 9.8-out-of-10 CVSS severity rating. It can allow an attacker to bypass the authentication mechanism and reach any arbitrary endpoint.
  • CVE-2024-28847, an 8.8-rated high-severity code-injection bug that can lead to RCE.
  • CVE-2024-28253, a code-injection flaw that can allow RCE. This one is rated critical, and has a 9.4 CVSS score.
  • CVE-2024-28848, another 8.8-rated code-injection flaw that can allow RCE.
  • CVE-2024-28254, an OS command injection flaw that received an 8.8 CVSS rating and can open users up to remote code execution.

To gain access, the attackers scan for Kubernetes-based deployments of OpenMetadata that are exposed to the internet. After finding vulnerable systems, they exploit the unpatched CVEs to gain access to the container, and then run a series of commands to collect information on the network and hardware configuration, OS version, and active users, among other information about the victim's environment.

Election disinfo off to a slow start

In other Microsoft news, Redmond says Russia and China are stepping up efforts to stick their oars into the upcoming US presidential election, again.

Russian trolls "kicked into gear" in the past 45 days, with a "renewed focus on undermining US support for Ukraine," according to the second Microsoft Threat Intelligence Election Report. This includes influence campaigns from at least 70 Russian-affiliated groups.

"The most prolific of these actors are backed by or affiliated with the Russian Presidential Administration, highlighting the increasingly centralized nature of Russian influence campaigns, rather than relying principally on its intelligence services and the Internet Research Agency (known more commonly as the troll farm) as seen during the 2016 US presidential election," the report stated. 

It adds that these disinformation campaigns target both English and Spanish-speaking audiences in America and push anti-Ukraine narratives.

China, meanwhile, "uses a multi-tiered strategy that aims to destabilize targeted countries by exploiting increasing polarization among the public and undermining faith in centuries-old democratic systems," we're told. 

Plus, Beijing is much better than Russia at using generative AI to create convincing images and videos, Redmond says, noting that Storm-1376 (aka Spamouflage), remains one of the most prolific groups using AI to generate fake news. Our advice? Apply some common sense to things you see online, and stick to reputable, trusted sources of information.

"As part of the reconnaissance phase, the attackers read the environment variables of the workload," Microsoft security boffins Hagai Ran Kestenberg and Yossi Weizman wrote.

In this case, "those variables may contain connection strings and credentials for various services used for OpenMetadata operation which could lead to lateral movement to additional resources."

The attackers then download crypto-mining malware from a remote server in China, and, in some cases, add a personal note to the victim:

Hi man. I've seen several organizations report my Trojan recently, Please let me go. I want to buy a car. That's all. I don't want to hurt others. I can't help it. My family is very poor. In China, it's hard to buy a suite. I don't have any accommodation. I don't want to do anything illegal. Really, really if you are interested, you can give me XMR, my address is…

There's no word from Redmond as to whether this sob story ever works, or ends with the victims happily transferring Monero crypto-coins (XMR) to the crooks. 

We do know, however, that after running the mining malware, the miscreants start a reverse shell connection using Netcat to maintain remote access to the container, and also install cronjobs for scheduling, which allows them to execute the malware at predetermined times.

"Administrators who run OpenMetadata workload in their cluster need to make sure that the image is up to date," the Redmond duo wrote. "If OpenMetadata should be exposed to the internet, make sure you use strong authentication and avoid using the default credentials." ®

More about


Send us news

Other stories you might like