Hackers have been observed abusing flaws in OpenMetadata workloads to install cryptocurrency miners on Kubernetes.
Cybersecurity researchers from the Microsoft Threat Intelligence team reported of a new campaign, which started in early April 2024 that saw unidentified threat actors were scanning the web for internet-connected OpenMetadata workloads, vulnerable to these five flaws: CVE-2024-28847, CVE-2024-28848, CVE-2024-28253, CVE-2024-28254, and CVE-2024-28255.
Once found, they would abuse these flaws with malware, to gain a foothold on the systems. After a bit of analysis and reconnaissance, the attackers would install cryptocurrency miners on Kubernetes workloads.
Cryptomining season
OpenMetadata is an open source framework and standard for managing metadata in an open and interoperable manner across various tools, technologies, and platforms. Metadata is essentially data about data, providing context, description, and structure to the actual data.
Among various cryptocurrency miners, the standout one is called XMRig. It’s a lightweight program that “mines” (generates, essentially), the Monero currency, also known as XMR. Monero is described as a privacy-oriented coin, almost impossible to trace, making it particularly interesting for cybercriminals.
“Mining” cryptocurrency refers to conducting compute-heavy operations, which render the computer doing them useless for anything else, even if the device is extremely powerful. At the same time, the device will spend an enormous amount of electrical power mining the crypto, raking up huge electricity bills for the victims.
The attackers, on the other hand, will get disproportionally few cryptos, making the damage done that much greater.
On the flip side, being infected with a cryptominer is relatively easy to spot, since the compromised computer slows down to a crawl. However, since the crypto bull run is currently in full swing, we can expect to see more of these crypto miners around.
“This attack serves as a valuable reminder of why it’s crucial to stay compliant and run fully patched workloads in containerized environments,” the researchers said.
Via The Hacker News