Mirai botnet operators are actively exploiting the OMIGOD Microsoft Azure vulnerability recently discovered by Wiz researchers.
OMIGOD vulnerability is a collection of four security flaws consisting of the severe unauthenticated remote code execution vulnerability CVE-2021-38647 (CVSS 9.8) and privilege escalation flaws CVE-2021-38648 (CVSS 7.8), CVE-2021-38645(CVSS 7.8), and CVE-2021-38649 (CVSS 7.0).
The vulnerability exists in the open-source open management infrastructure (OMI) used to implement the DMTF CIM/WBEM standards. Microsoft embeds this component in its Windows Azure platform.
OMIGOD Azure vulnerability by default
OMIGOD vulnerability affects users running Linux virtual machines. The OMI framework is automatically activated when users enable Linux virtual machines, Azure Virtual Machine (VM) management services, and other processes. Although it can use other ports, OMI uses ports 1270, 5985, and 5986 by default.
However, OMI has root access and, thus vulnerable to exploitation. It allows attackers to escalate privileges and execute malicious code on the Microsoft Azure cloud platform.
OMIGOD exploits this vulnerability after circumventing authentication and defaulting to root access systemwide.
Mirai Botnet spreading through OMIGOD azure vulnerability
Cado cybersecurity researchers believe there is a race to exploit OMIGOD Azure vulnerability. Similarly, cyber security company Bad Packets said it detected mass scanning activity of internet-facing servers affected by the Azure vulnerability.
Cado Security CTO and co-founder Chris Doman said that Mirai botnets tried to spread across systems by exploiting OMIGOD and other vulnerabilities.He anticipated that the vulnerability would proliferate in easy-to-use forms, allowing more threat actors to exploit the vulnerability.
Doman advised security response teams to set Azure’s perimeter firewall to block access to OMI ports. They should also ensure that their systems were running OMI updated extensions.
He noted that Mirai botnet was essentially a low-skilled exploit thus underscoring the risk posed by the OMIGOD Azure vulnerability. Doman pointed out that Mirai Botnet operators just needed to create a simple HTTP request to run a command as root.
Microsoft released automatic updates on September 2021 patch Tuesday and urged its customers to update their deployments.
“Updates are already available for DSC and SCOM to address the remote execution vulnerability (RCE),” Microsoft wrote. “While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1270).”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also reminded users on September 17 to “update vulnerable extensions for their Cloud and On-Premises deployments.”
“Microsoft has quickly and properly responded to the OMIGOD vulnerabilities discovered and reported by Wiz,” Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said. “The cloud service risk/reward tradeoff is very evident in this scenario. IT security teams trust cloud providers like Azure to provide a secure service, and in the event of a bug or vulnerability, to take immediate steps to mitigate the risk.”
Bar-Dayan added that vendors were usually quick in remediating flaws before threat actors exploited them. He noted that it takes several unaddressed vulnerabilities for threat actors to exploit the affected systems.
Mirai Botnet operators also understand that other threat actors are interested in exploiting OMIGOD Azure vulnerability. Consequently, they were blocking OMI ports after gaining persistence on vulnerable servers.
Former Microsoft employee Kevin Beaumont indicated that Mirai botnet attempted to close the 5896 OMI SSL port after compromising the system to lock other attackers.
Beaumont slammed Microsoft for silently installing vulnerable management agents that Azure users were unaware of and forced to manually update them. He says that there were about 15,700 vulnerable Azure deployments, including ones with US GOV hostnames.
“Finding an underlying vulnerability in a management function of a cloud service provider is significant. To understand their exposure to this vulnerability, enterprises need to know which assets have the OMI management function enabled and ensure that nothing is directly exposed to the Internet,” says Tyler Shields, CMO at JupiterOne. “You may assume that two or three layers of firewalls protect these assets, but unfortunately, transitive trust relationships among assets can accidentally create a path that an attacker can exploit.
He noted that a “cloud-native attack surface measurement tool that connects assets” would easily inform customers when their deployments were exposed.