Microsoft Azure virtual machines exploited to abandon Mirai, miners

Threat actors began actively exploiting critical vulnerabilities in Azure OMIGOD two days after Microsoft disclosed them during Patch Tuesday this month.

The four security vulnerabilities (allowing elevation of privilege and remote code execution) were found in the Open Management Infrastructure (OMI) software agent silently installed by Microsoft on more than half of all Azure instances.

In total, these bugs impact thousands of Azure clients and millions of endpoints, according to Wiz researchers Nir Ohfeld and Shir Tamari, who discovered them.

“With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple,” Nir Ohfeld, researcher at Wiz, said of the flaw. Remote Code Execution (RCE) CVE-2021-38647.

“This vulnerability can also be used by attackers to gain initial access to a target Azure environment and then move laterally within it. “

Actively exploited to remove botnet and cryptomining malware

The first attacks were spotted last night by security researcher Germán Fernández and were quickly confirmed by cybersecurity companies Noise Gray and Bad packages.

According to current statistics from GreyNoise, attackers search the internet for exposed Azure Linux VMs vulnerable to CVE-2021-38647 exploits on more than 110 servers.

A Mirai botnet is behind some of these exploit attempts targeting Azure Linux OMI endpoints vulnerable to CVE-2021-38647 RCE exploits, such as first spotted by Fernández Thursday night.

Digital forensics firm Cado Security also analyzed botnet malware deposited on compromised systems and found that it also “shuts down the ports of vulnerabilities it exploited to prevent other botnets from taking control of the system. “.

As security researcher Kevin Beaumont find, other threat actors are targeting Azure systems vulnerable to OMIGOD to deploy cryptominer payloads.

How to secure your Azure virtual machine

While Microsoft released a patched version of the OMI software agent over a week ago, the company is still rolling out security updates for cloud customers who have automatic updates turned on. in their virtual machines.

According to additional guidance released today by Redmond, “Customers should update vulnerable extensions for their cloud and on-premises deployments as updates become available” according to a predefined schedule shared by the team. Microsoft Security Response Center.

“New virtual machines in these regions will be protected against these vulnerabilities after the availability of updated extensions. “

To manually update the OMI agent on your virtual machine, you can also use the built-in Linux package manager:

“While updates are deployed using secure deployment practices, customers can protect themselves against the RCE vulnerability by ensuring that virtual machines are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose OMI ports (TCP 5985, 5986, and 1207), “Microsoft added.