Experts warn that Mirai Botnet starts exploiting OMIGOD flaw

The Mirai botnet starts exploiting the recently disclosed OMIGOD vulnerability to compromise vulnerable systems exposed online.

Threat actors behind a Mirai botnet starts exploiting a critical Azure OMIGOD vulnerability, tracked as CVE-2021-38647, a few days after Microsoft disclosed them.

Recently released September 2021 Patch Tuesday security updates have addressed four severe vulnerabilities, collectively tracked as OMIGOD, in the Open Management Infrastructure (OMI) software agent that exposes Azure users to attack. Below is the list of the OMIGOD flaws:

CVE-2021-38647 – Unauthenticated RCE as root (Severity: 9.8)CVE-2021-38648 – Privilege Escalation vulnerability (Severity: 7.8)CVE-2021-38645 – Privilege Escalation vulnerability (Severity: 7.8)CVE-2021-38649 – Privilege Escalation vulnerability (Severity: 7.0)The vulnerabilities were reported by Wiz’s research team, an attacker could exploit OMIGOD vulnerabilities to execute code remotely or elevate privileges on vulnerable Linux virtual machines running on Azure.

Researchers estimate that thousands of Azure customers and millions of endpoints are potentially at risk of attack.

Threat actors immediately started scanning the Internet for vulnerable installs as confirmed by independent researchers and security firms. The popular expert Kevin Beaumont reported that a Mirai botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to prevent other threat actors to infect them.

Mirai botnet is exploiting #OMIGOD – they drop a version of Mirai DDoS botnet and then close 5896 (OMI SSL port) from the internet to stop other people exploiting the same box.https://t.co/j9Z41Zaqd8— Kevin Beaumont (@GossiTheDog) September 17, 2021
#OMIGOD update (48 hours after release):– Already exploited in the wild– Azure is still not patched (see below my test a few minutes ago, 1.6.8.0 is vulnerable)– Major risk for Azure environments. Make sure management ports are closed (5985/5986/1270) https://t.co/lLsABf2XL4 pic.twitter.com/XkVYafjCIu— Ami Luttwak (@amiluttwak) September 16, 2021
Mass scanning activity detected from 45.146.164.110 () checking for Azure Linux OMI endpoints vulnerable to remote code execution (CVE-2021-38647).Vendor advisory: https://t.co/PO4A8mK5PIProof of concept: https://t.co/ioxDgZ9AlM#threatintel pic.twitter.com/TKHFVTOmpb— Bad Packets (@bad_packets) September 17, 2021
The Azure “OHMIGOD” vulnerability (CVE-2021-38647) is increasing a good bit. ~10 IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN users and customers now. GNQL:cve:CVE-2021-38647https://t.co/sbdxJxzrEd pic.twitter.com/7dyU213Pl1— Andrew Morris (@Andrew___Morris) September 16, 2021Microsoft released a guidance that urges customers to update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per a schedule shared by the Microsoft Security Response Center team.

“New VMs in these regions will be protected from these vulnerabilities post the availability of updated extensions.” reads a Microsoft.

“Updates are already available for DSC and SCOM to address the remote execution vulnerability (RCE). While updates are being rolled out using safe deployment practices, customers can protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1270).  Note that ports 5985 and 5986 are also used for PowerShell Remoting on Windows and are not impacted by these vulnerabilities. “

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Mirai)

The post Experts warn that Mirai Botnet starts exploiting OMIGOD flaw appeared first on Security Affairs.