Researchers observed attackers exploiting critical vulnerabilities in the OpenMetadata platform to infiltrate Kubernetes environments for cryptomining. OpenMetadata, an open-source platform for managing data source metadata, was found to have several vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) in versions prior to 1.3.1 that allow attackers to bypass authentication and execute code remotely.
The attack begins with the attackers targeting exposed Kubernetes workloads that run vulnerable versions of OpenMetadata. Once they gain initial access, they perform reconnaissance, using domains ending in oast[.]me and oast[.]pro to confirm network connectivity without raising alarms. This phase helps them establish a command-and-control channel to deploy malware, specifically for cryptomining, and gain further control over the compromised system.