Microsoft Security recently revealed a sophisticated cyber-attack campaign that targets Kubernetes clusters by exploiting newly discovered vulnerabilities in the OpenMetadata platform.

The attackers have set their sights on Kubernetes workloads, leveraging critical vulnerabilities in the OpenMetadata platform to infiltrate and exploit these systems for cryptomining activities.

OpenMetadata, an open-source platform designed for comprehensive metadata management across various data sources, has become the latest target due to its widespread use and central role in data governance and discovery.

On March 15, 2024, a series of vulnerabilities within the OpenMetadata platform were disclosed, affecting versions prior to 1.3.1.

These vulnerabilities, identified as CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254, pose a significant risk as they allow attackers to bypass authentication mechanisms, enabling unauthorized code execution on containers running the vulnerable OpenMetadata versions.

Initial Access and Exploitation

Microsoft said the attack begins by identifying Kubernetes workloads running OpenMetadata that are exposed to the Internet.

Free Live Webinarfor DIFR/SOC Teams: Securing the Top 3 SME Cyber Attack Vectors – Register Here.

By pinpointing systems running outdated and vulnerable versions of the application, attackers can exploit the vulnerabilities mentioned to gain unauthorized access and execute malicious code within the container environment.

This method of attack not only compromises the integrity and confidentiality of the Kubernetes workloads and allows attackers to utilize the compromised systems for cryptomining activities, thereby siphoning off valuable computing resources for their gain.

In response to this critical threat, Microsoft strongly recommends that all customers review their Kubernetes clusters running OpenMetadata workloads.

It is imperative that these systems be updated to the latest version (1.3.1 or later) to mitigate the risk of exploitation.

How to Check For Vulnerability

If OpenMetadata needs to be accessible on the internet, ensure that secure authentication mechanisms are in place and avoid relying on default login credentials.

To get a list of all the images running in the cluster:

kubectl get pods –all-namespaces -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{“n”}{end}’ | grep ‘openmetadata’

If there is a pod with a vulnerable image, update the image version to the latest version.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.