Just a few days after the four OMIGOD vulnerabilities were discovered in Microsoft Azure, researchers on Friday reported that Mirai botnets are either scanning or actively exploiting OMIGOD.
The OMIGOD news first broke in a blog by Wiz researchers on Tuesday, in which the team said the source of the issue was a software agent called open management infrastructure (OMI) that’s embedded in many popular Azure services. Wiz researchers said when customers set up a Linux virtual machine in a cloud, the OMI agent gets automatically deployed without their knowledge when they enable certain Azure services, making it easy for attackers to exploit the vulnerabilities.
Well, it didn’t take long, and attackers have already started exploiting OMIGOD.
“What's different is we're now seeing real world exploitation by attackers — not just white hat researchers scanning for systems,” said Chris Doman, co-founder and CTO at Cado Security.
In a blog post today, Doman said his team analyzed an x86 Mirai sample and found that the worm tried to spread to other systems through a number of vulnerabilities, including OMIGOD.
“There's typically a race to publish, and now the exploit is in plenty of easy-to-use forms it will proliferate,” Doman said. “Security teams should check Microsoft Azure Firewall is set to block any access to OMI ports. They should also check if OMI is installed on systems, and that it’s the latest version.”
Doman added that Mirai botnet operators are often fairly low-skilled, so the fact that they can weaponize this exploit shows just how easy it is to use — the attackers just create a simple http request that tells the system to run a command as root.
“And we can see in the malware that they are locking out other botnet operators as they know how many other people will be exploiting this soon,” Doman said. “A worst, but somewhat inevitable, case is that ransomware operators will start using this to get a beachhead from internet-facing systems into the rest of the network.”
Saumitra Das, CTO at Blue Hexagon, said security teams need to take the OMI vulnerability seriously because it’s now being actively exploited by botnets for coin mining and agreed that it may also escalate to ransomware.
“Organizations need to upgrade OMI to the latest version or remove it from Linux VMs in Azure,” Das said. “Having visibility into network behavior can reveal the presence of botnets in Azure infrastructure. This story highlights the dangers of software agents with privilege running on workloads in the cloud. While this is not a supply chain attack, it was still enabled by a supply chain vulnerability introduced by the cloud service provider.”
The only surprise here is that attackers waited as long as they did before launching attacks to compromise OMIGOD, said John Bambenek, principal threat hunter at Netenrich.
“Security professionals and cloud teams should block OMI ports and patch immediately," Bambenek said. "The fact that so few did so immediately means I’m never going to be able to retire.”
Immediately upon disclosure of a vulnerability, particularly a critical one that allows remote code execution with root privileges, it’s always a race against the clock to mitigate/patch versus getting exploited, said Oliver Tavakoli, CTO at Vectra.
“This vulnerability is valuable enough to an attacker to go to the top of the list of anyone who’s targeting assets organizations hold in Azure,” Tavakoli said.
Now that OMIGOD has been confirmed as being actively scanned and exploited in an automated fashion via botnets and we know there’s the potential for root privilege remote code execution, security teams must close any open OMI ports as soon as possible and implement Azure mitigation guidelines, said Stuart Winter-Tear, director of strategy at ThreatModeler. “The race is on,” he concluded.