Container Security: Exploiting Vulnerabilities in OpenMetadata for Cryptocurrency Mining
Introduction
In recent years, the use of containers in managing and deploying applications has become increasingly popular. Containers provide a lightweight and flexible way to package and distribute software, making it easier for developers to build, deploy, and scale applications. However, as with any technology, containers are not immune to security vulnerabilities. In this article, we will explore the recent exploitation of critical vulnerabilities in OpenMetadata, an open-source metadata management tool, by threat actors for cryptocurrency mining activity.
Vulnerabilities in OpenMetadata
OpenMetadata is an open-source platform that enables users to manage metadata for their data assets. It provides a unified solution for data asset discovery, observability, and governance. However, security researcher Alvaro Muñoz discovered several critical vulnerabilities in OpenMetadata, which have since been exploited by threat actors.
The vulnerabilities include:
CVE-2024-28847: This vulnerability is an injection vulnerability in Spring Expression Language (SpEL) that allows attackers to execute arbitrary code. It was fixed in version 1.2.4 of OpenMetadata.
CVE-2024-28848: Another SpEL injection vulnerability, this time in the GET /api/v1/policies/validation/condition/ endpoint. This vulnerability was also fixed in version 1.2.4.
CVE-2024-28253: This vulnerability, fixed in version 1.3.1, allows attackers to inject SpEL code through the PUT /api/v1/policies endpoint.
CVE-2024-28254: Similar to the previous vulnerabilities, this one allows SpEL injection through the GET /api/v1/events/subscriptions/validation/condition/ endpoint. It was fixed in version 1.2.4.
CVE-2024-28255: This vulnerability is an authentication bypass vulnerability that allows attackers to bypass authentication and gain unauthorized access. It was fixed in version 1.2.4 and has a high CVSS score of 9.8.
Exploitation and Modus Operandi
The Microsoft Threat Intelligence team has observed threat actors actively exploiting these vulnerabilities since April 2024. The attackers target internet-exposed OpenMetadata workloads that have not been patched, allowing them to gain code execution on the container running the OpenMetadata image.
Upon gaining initial access, the threat actors carry out reconnaissance activities to gather information about the compromised environment. They collect details about the network and hardware configuration, operating system version, number of active users, and environment variables. To validate network connectivity to attacker-controlled infrastructure, the attackers send ping requests to domains associated with Interactsh, an open-source tool for detecting out-of-band interactions.
With this reconnaissance step, the attackers can establish command-and-control (C2) communications and deploy additional payloads. Their ultimate goal is to retrieve and deploy a crypto-mining malware from a remote server in China, depending on the operating system. Once the miner is launched, the initial payloads are removed, and the attackers gain control over the system by initiating a reverse shell using the Netcat tool. They maintain persistence by setting cron jobs to run the malicious code at predefined intervals.
Insights and Recommendations
The active exploitation of vulnerabilities in OpenMetadata serves as a reminder of the importance of maintaining compliance and running fully patched workloads in containerized environments. Here are some key insights and recommendations for users of OpenMetadata to mitigate the risk of exploitation:
1. Strong Authentication: Implement strong authentication methods to prevent unauthorized access to OpenMetadata. Avoid using default credentials and enforce the use of complex passwords.
2. Regular Patching: Keep the OpenMetadata images up to date by applying the latest patches and security updates. Regularly check for new releases and security advisories from the OpenMetadata project.
3. Risk Assessment and Auditing: Conduct regular risk assessments and audits of the OpenMetadata environment to identify potential vulnerabilities and areas of weakness. Regularly review and monitor logs, network traffic, and system activity for signs of compromise.
4. Security Awareness: Educate users and administrators about the importance of security best practices. Train them to recognize phishing emails and suspicious behavior. Provide clear guidelines on how to report security incidents or potential vulnerabilities.
5. Access Control: Implement a least privilege model for user access to OpenMetadata. Restrict access to sensitive features and data to only authorized personnel. Regularly review and update access control policies.
Conclusion
The exploitation of vulnerabilities in OpenMetadata for cryptocurrency mining activity highlights the ongoing need for robust container security measures. Threat actors are actively searching for and exploiting vulnerabilities in popular containerized platforms, such as OpenMetadata, to gain unauthorized access and carry out malicious activities.
Users of OpenMetadata should take proactive steps to secure their environments by implementing strong authentication methods, regularly patching their software, conducting risk assessments and audits, and raising security awareness among their users and administrators. By adhering to these best practices, organizations can significantly reduce the risk of falling victim to container-based attacks.
As the adoption of containers continues to grow, it is crucial for organizations to prioritize container security and stay vigilant against emerging threats. Container security should be an integral part of any organization’s overall security strategy, ensuring that their valuable data and resources are protected from malicious actors.
Source link
