Microsoft Azure VMs Abused to Drop Mirai, Miners – OMIGOD

Microsoft Azure VMs Abused to Drop Mirai, Miners – OMIGOD

Attackers initiated currently exploiting the sensitive Azure OMIGOD vulnerabilities two days after Microsoft revealed them during this month’s Patch Tuesday. The four security bugs (permitting privilege escalation and remote code execution) were discovered in the Open Management Infrastructure (OMI) software agent silently installed by Microsoft on more than half of all Azure instances.

In all, these flaws affect thousands of Azure customers and millions of endpoints, as per Wiz researchers Nir Ohfeld and Shir Tamari, who discovered them. “With a single packet, a threat actor can become root on a remote machine by simply removing the authentication header. It’s that easy,” Wiz researcher Nir Ohfeld said about the CVE-2021-38647 remote code execution (RCE) flaw.

Currently Exploited to drop Botnet and Cryptomining Malware

The first attacks were addressed yesterday evening by security investigators German Fernandez and were soon ensured by cybersecurity organizations GreyNoise and Bad Packets.

According to GreyNoise’s current states, threat actors are scanning the Internet for exposed Azure Linux VMs vulnerable to CVE-2021-38647 exploits from over 110 servers. A Mirai botnet is behind some of these exploitation attempts targeting Azure Linux OMI endpoints vulnerable to CVE-2021-38647 RCE exploits, as first spotted by Fernández on Thursday evening.

Digital forensics firm Cado Security also analyzed the botnet malware dropped on compromised systems and found that it also “closes the ports of the vulnerabilities it exploited to stop other botnets taking over the system.” As security researcher Kevin Beaumont found, other threat actors are targeting OMIGOD-vulnerable Azure systems to deploy crypto miner payloads.      

Microsoft-Azure-VMs-Abused-to-Drop-Mirai-Miners–OMIGOD-image1

How to Protect your Azure VM?

While Microsoft has released the patched OMI software agent version more than a week ago, the organization is still in the process of rolling out security updates to cloud customers who have automatic updates enabled in their VMs.

As per the additional support Redmond released today, “customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available” an already schedule transmitted by the Microsoft Security Response Center team.

“The advance VMs in these regions will be secured from these vulnerabilities post the availability of update extensions.” To manually update the OMI agent on your VM, you can also use the built-in Linux package manager:

  • Add the MSRepo to your system. Based on the Linux OS that you are using, refer to this link to install the MSRepo to your system: Linux Software Repository for Microsoft Products | Microsoft Docs
  • You can then use your platform’s package tool to upgrade OMI (for example, sudo apt-get install omi or sudo yum install omi).

“While updates are being twisted out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1207),” Microsoft added.

Leave a Reply