Attackers have begun to exploit critical Microsoft Azure vulnerabilities that were disclosed and patched earlier this week, security researchers report.
The OMIGOD flaws, discovered by the Wiz Research Team, exist in Open Management Infrastructure (OMI), a widely used but little-known software agent embedded in a range of popular Azure services. They include remote code execution flaw CVE-2021-38647 and privilege escalation vulnerabilities CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649.
New data indicates attackers are scanning the Web for Azure Linux virtual machines that are vulnerable to CVE-2021-38647. The finding was first spotted by security researcher Germán Fernández on Thursday evening. Security firms Bad Packets and GreyNoise later confirmed the activity. And as Fernández pointed out, a Mirai botnet operator is among those scanning.
An unauthenticated, remote attacker could exploit CVE-2021-38647 by sending a specially crafted request to a vulnerable target over a publicly accessible remote management port (5986, 5985, and 1270). If successful, an attacker could become root on a remote machine.
As part of the ongoing Mirai activity, attackers drop a version of the Mirai DDoSbotnet and then close port 5896 from the Internet to stop others from exploiting the same box, as security researcher Kevin Beaumont wrote on Twitter. He also reported one of his test boxes was targeted by attackers who deployed a cryptominer.