Several separate attack groups are attempting to exploit the remote-code execution vulnerability in the Open Management Infrastructure (OMI) Framework agent for Azure that was disclosed last week, including a group that is installing the Mirai botnet malware on compromised hosts.
The OMI extension is installed in the background with many Azure services, including Open Management Suite, Azure Insights, and Azure Automation, and is used for configuration management on Linux and Unix systems. Researchers at Wiz discovered the vulnerability (CVE-2021-38647), along with three local privilege escalation bugs, and disclosed them to Microsoft, which issued updates for them on Sept. 14. But attackers took notice quickly, and within days, a number of proof-of-concept exploits were available and actors were looking for vulnerable hosts.
“To date we have seen several active exploitation attempts ranging from basic host enumeration (running uname, id, ps commands) to attempts to install a crypto currency miner or file share. We have also seen others in the community report similar behavior to include installs of the Mirai botnet. While many of the attackers are looking for port 5986, we are also seeing attacks on port 1270,” Russell McDonald of the Microsoft Threat Intelligence Center said.
“Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.). In a nutshell, anyone with access to an endpoint running a vulnerable version (less than 18.104.22.168) of the OMI agent can execute arbitrary commands over an HTTP request without an authorization header.”
The OMI flaw is rated critical, and it’s all the more serious due to the fact that OMI is installed automatically, and mostly silently, with so many Azure VMs. Exploitation of the bug is not complicated, either.
“Thanks to the combination of a simple conditional statement coding mistake and an uninitialized authentication struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root. This vulnerability allows for remote takeover when OMI exposes the HTTPS management port externally (5986/5985/1270). This is in fact the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM),” The Wiz Research Team wrote in the explanation of the vulnerability.
Two days after Microsoft released the advisory for the vulnerability, researchers saw the operators of the Mirai botnet attempting to exploit the bug, although the attempts were failing at that time because they had implemented the exploit incorrectly. But that has changed since.
“Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given Mirai can enter networks and spread laterally via multiple vulns, this might be problematic,” researchers Kevin Beaumont said on Twitter Friday.
GeyNoise, which monitors scanning and attack traffic, has identified numerous malicious hosts trying to exploit this vulnerability to install Mirai, as well.