OMIGOD! Azure Vulnerabilities Are Being Exploited

No sooner had the Open Management Infrastructure (OMI) software agent silently installed by Microsoft on more than half of all Azure instances been revealed then threat actors were already on the case, exploiting the flaws.

“Mirai botnet is exploiting #OMIGOD—they drop a version of Mirai DDoS botnet and then close 5896 (OMI SSL port) from the internet to stop other people exploiting the same box,” Kevin Beaumont, aka GossiTheDog tweeted.

Microsoft disclosed the four vulnerabilities during this September’s Patch Tuesday earlier this week.

“Azure users running Linux virtual machines are at risk of compromise unless they upgrade now,” said Cado Security in its analysis of the flaw and its exploitation, noting that “a vulnerable piece of management software in the Open Management Infrastructure (OMI) framework can be remotely exploited by attackers enabling them to escalate to root privileges and remotely execute malicious code.”

Azure, Cado explained, “will automatically install the OMI agent when users set up a Linux VM and monitoring and other services are enabled.” By default, then, “OMI runs with root access—making the system extremely vulnerable and subject to compromise,” the Cado researchers said. “It typically runs on ports 5986, 5985 and 1270; however, any port can be used.”

Exploitng OMIGOD is easy. Attackers only have to skip the authentication of requests, which Cado said “defaults with root access across systems.”

“The race is on,” said Stuart Winter-Tear, director of strategy at ThreatModeler. “As this is now confirmed as being actively scanned and exploited in an automated fashion via botnets, and we know there is the potential for root privilege remote code execution, any open OMI ports must be closed as soon as possible and Azure mitigation guidelines need to be implemented.”

Vectra CTO Oliver Tavakoli agreed that “immediately upon disclosure of a vulnerability, particularly a critical one which allows remote code execution with root privileges, it is always a race against the clock to mitigate/patch vs. getting exploited.”

When a “cloud-centric issue can be exploited from a remote position, the attack is ripe for automated discovery and attacks,” said Tyler Shields, CMO at JupiterOne. “While I am sure there are a lot of directed attacks at certain companies, I’m going to take an educated guess and say that much of this is automated scanning looking for opportunities of chance.”

But Tavokoli said that Azure is a big draw for attackers. This vulnerability, he contended, “is valuable enough to an attacker to go to the top of the list of anyone who is targeting assets organizations hold in Azure.”

Much of the responsibility to reduce risk in the cloud falls on the user, according to Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. “The fact that 99% of all cybersecurity breaches exploit a known, unmitigated vulnerability does not apply to cloud services simply because providers, such as AWS and Azure, are aggressively proactive about the cyber hygiene of their products,” he said.

“The real risk in cloud security stems from the fact that 95% of all cloud security breaches are due to user error and cloud service user misconfigurations,” said Bar-Dayan. “We plead with enterprise consumers of cloud services to make the security of the services they consume a top priority and be as proactive as the cloud service providers in their never-ending mitigation efforts.”

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson