Threat actors are actively scanning the internet in search of the unprotected Azure Linux-based servers vulnerable to the recently patched OMIGOD flaw in order to deploy cryptomining software or ensnare them into a DDoS botnet, multiple security researchers have warned.

Last week, Microsoft released its September 2021 Patch Tuesday security updates addressing over 60 vulnerabilities in its products, including several flaws impacting the Open Management Infrastructure (OMI) software, an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems.

Collectively tracked as OMIGOD, the vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648, CVE-2021-38649) can be used by an attacker to elevate privileges on the system or to execute an arbitrary code remotely.

Microsoft addressed the issue by releasing version 1.6.8.1 for the OMI client on GitHub.

According to the researchers, the attacks exploiting the RCE bug (CVE-2021-38647) started on September 16 after a public proof-of-concept exploit was published on code hosting website GitHub. The first attacks were detected by researchers at Bad Packets and Grey Noise. The security researcher Kevin Beaumont reported that a Mirai DDoS botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to block attacks from other threat actors.

Microsoft has released an additional guidance with the instructions for users on how to determine if their Cloud and On-Premises deployments have been compromised.