[TheRecord] DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public

Threat actors are attacking Azure Linux-based servers using a recently disclosed security flaw named OMIGOD in order to hijack vulnerable systems into DDoS or crypto-mining botnets.

The attacks, which began on Thursday night, September 16, are fueled by a public proof-of-concept exploit that was published on the same day on code hosting website GitHub.

The attacks started slow, according to Andrew Morris, founder and CEO of threat intelligence company GreyNoise.

Roughly 10 malicious servers were scanning the internet for vulnerable servers Thursday night, but the number had grown to more than 100 by the next morning.

Attacks target Azure Linux systems vulnerable to OMIGOD

The attackers are looking for Linux servers running on Microsoft’s Azure cloud infrastructure. These systems are vulnerable to a security flaw called OMIGOD.

Discovered over the summer by cloud security firm Wiz, the vulnerability resides in an app called Open Management Infrastructure (OMI), which Microsoft has been silently installing by default on most Azure Linux virtual machines.

The app, which works as a Linux alternative to Microsoft’s Windows Management Infrastructure (WMI), a service that collects data from local environments and synchronizes it with a central management server, is vulnerable to an issue tracked as CVE-2021-38647.

This bug allows threat actors to take over Azure Linux servers by sending a malformed packet to the OMI client.

“This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” said Wiz security researcher Nir Ohfeld, who discovered the issue.

“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header.”

“It’s that simple,” the researcher said in a report published on Tuesday.

Microsoft’s boo-boo

Microsoft addressed the bug by releasing version for the OMI client on GitHub.

However, Microsoft did not automatically install this update for OMI clients deployed across its infrastructure, effectively leaving tens of thousands of Azure Linux servers open to attacks.

Furthermore, the company took another three days to replace the OMI client version inside its Azure Linux VM images. This means that companies that rushed to re-image their servers deployed new VMs that were still vulnerable to attacks.

While many of these servers are inside corporate networks and behind firewalls, there are still plenty more that are connected online. A Shodan query currently surfaces more than 15,600 Azure Linux internet-connected servers.

image: The Record

Exploitation was expected

Attacks exploiting this vulnerability have been expected ever since Wiz published its report on Tuesday.

“I think that the most interesting thing here is that the RCE is really easy to exploit,” Alon Schindel, threat research lead for Wiz, told The Record in a conversation earlier this week. “We’ve already seen some people on Twitter that were able to do so.”

But the attacks took off hours after a security firm published a proof-of-concept exploit on GitHub. This same exploit was spotted in attacks by security firm Bad Packets earlier today.

Mass scanning activity detected from (🇷🇺) checking for Azure Linux OMI endpoints vulnerable to remote code execution (CVE-2021-38647).

Vendor advisory: https://t.co/PO4A8mK5PI

Proof of concept: https://t.co/ioxDgZ9AlM#threatintel pic.twitter.com/TKHFVTOmpb

— Bad Packets (@bad_packets) September 17, 2021

According to reports from security researchers such as Kevin Beaumont and German Fernandez, after attackers use the OMIGOD exploit, they immediately deploy malware that ensnares the hacked server into cryptomining or DDoS botnets.

But Schindels told The Record today that these attacks are only superficial and that threat actors could easily pivot to many other internal servers are the OMI client is installed.

“You’re basically getting new targets for free. After you successfully exploited a machine, you can try to move laterally with OMIGOD or with other techniques and assess the value of your target,” Schindel said.

“Alternatively, if you already had access to a network, OMIGOD can be used for later movement inside a network but we can’t scan such internal exploitation attempts.”

Image: Wiz

The post DDoS botnets, cryptominers target Azure systems after OMIGOD exploit goes public appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SANS ISC] More packet fu with zeek, (Thu, Feb 17th)

All posts, Sans-ISC

Packet-fu with zeek is fun! Let’s continue my previous diary Some packet-fu with Zeek (previously known as bro) with other use case: IP geolocation for new connections inside a packet capture. Prerrequisites You need to have installed zeek and the MaxMind database. A command to test the correct setup can be zeek -e “print lookup_location(;” […]

Read More

[NCSC-FI News] Microsoft fixes new PetitPotam Windows NTLM Relay attack vector

A recent security update for a Windows NTLM Relay Attack has been confirmed to be a previously unfixed vector for the PetitPotam attack During the May 2022 Patch Tuesday, Microsoft released a security update for an actively exploited NTLM Relay Attack labeled as a ‘Windows LSA Spoofing Vulnerability’ and tracked as CVE-2022-26925 An NTLM Relay […]

Read More

[SecurityWeek] CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks

All posts, Security Week

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released indicators of compromise to help threat hunters look for signs of WhisperGate and HermeticWiper, two destructive malware files seen in recent attacks against organizations in Ukraine. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.