HomeBug BountyHackers Exploit OpenMetadata Vulnerability for Cryptomining Attacks on Kubernetes

Hackers Exploit OpenMetadata Vulnerability for Cryptomining Attacks on Kubernetes

OpenMetadata Vulnerability Exploit – Cryptomining Attacks on Kubernetes – In a concerning development, cybersecurity experts have uncovered an ongoing campaign where threat actors are exploiting critical vulnerabilities in the OpenMetadata platform to launch cryptomining attacks on Kubernetes workloads. This sophisticated operation highlights the growing risks associated with open-source software in containerized environments.

OpenMetadata, a widely-used open-source metadata management tool, has become the latest target for hackers seeking to capitalize on its flaws. These vulnerabilities, including CVE-2024-28847, CVE-2024-28848, CVE-2024-28253, CVE-2024-28254, and CVE-2024-28255, were initially disclosed and patched in versions 1.2.4 and 1.3.1 on March 15. However, despite the patches being available, threat actors have been actively exploiting them since early April, emphasizing the importance of timely updates and patch management.

The attack methodology of OpenMetadata Vulnerability employed by these hackers is alarming in its sophistication. First, they identify vulnerable versions of OpenMetadata running on internet-exposed Kubernetes workloads. Leveraging the disclosed vulnerabilities, they gain unauthorized access to the containers, ultimately achieving remote code execution.

Once inside, the attackers conduct reconnaissance to assess the compromised environment thoroughly. They collect information about the network, hardware configuration, and operating system version to tailor their subsequent actions. Interestingly, they utilize ping requests to domains associated with Interactsh, a tool for detecting out-of-band interactions, to validate network connectivity without raising suspicion.

cryptomining Process of Exploited server that have OpenMetadata Vulnerabilities
cryptomining Process of Exploited server that have OpenMetadata Vulnerabilities

Upon confirming their access, the hackers proceed to download cryptomining malware payloads from a remote server, often located in China. These payloads, available for both Linux and Windows platforms, are then deployed within the compromised containers, initiating cryptocurrency mining operations.

To maintain persistence and control over the hijacked Kubernetes applications, the attackers employ various techniques. They remove initial payloads, establish reverse shell connections using tools like Netcat, and set up cronjobs to execute malicious code at regular intervals.

Notably, the attackers leave behind a distinctive calling card—an appeal for Monero cryptocurrency donations, purportedly to fund personal expenses such as purchasing a car or a “suite” in China. This tactic adds a peculiar twist to an otherwise malicious operation.

Note left on breached servers
Note lefted by the Hacker on the Breached Server

Security experts urge administrators to take immediate action to mitigate the risk posed by these attacks. They recommend changing default credentials, ensuring that OpenMetadata applications are promptly patched against known vulnerabilities, and maintaining vigilant monitoring of Kubernetes environments.

To maintain vigilant monitoring of Kubernetes environments, administrators are advised to take proactive measures. This includes promptly changing default credentials, ensuring that OpenMetadata applications are updated against known vulnerabilities, and utilizing the following command to get a list of all OpenMetadata workloads running in their Kubernetes environment:

kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | grep 'openmetadata'


By running this command, administrators can efficiently identify any instances of OpenMetadata running within their Kubernetes clusters, allowing for timely assessment and response to potential security threats. This proactive approach is crucial in safeguarding digital assets against emerging cyber threats.

This incident underscores the critical importance of maintaining robust cybersecurity practices, including timely patching and proactive threat detection, in containerized environments. As the cybersecurity landscape continues to evolve, organizations must remain vigilant to safeguard their digital assets against emerging threats.

A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.



Please enter your comment!
Please enter your name here

4 × 4 =

Most Popular


- Advertisement -