20 September 2021

Cybercriminals are actively targeting OMIGOD vulnerabilities


Cybercriminals are actively targeting OMIGOD vulnerabilities

Threat actors are actively scanning the internet in search of the unprotected Azure Linux-based servers vulnerable to the recently patched OMIGOD flaw in order to deploy cryptomining software or ensnare them into a DDoS botnet, multiple security researchers have warned.

Last week, Microsoft released its September 2021 Patch Tuesday security updates addressing over 60 vulnerabilities in its products, including several flaws impacting the Open Management Infrastructure (OMI) software, an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems.

Collectively tracked as OMIGOD, the vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648, CVE-2021-38649) can be used by an attacker to elevate privileges on the system or to execute an arbitrary code remotely.

Microsoft addressed the issue by releasing version 1.6.8.1 for the OMI client on GitHub.

According to the researchers, the attacks exploiting the RCE bug (CVE-2021-38647) started on September 16 after a public proof-of-concept exploit was published on code hosting website GitHub. The first attacks were detected by researchers at Bad Packets and Grey Noise. The security researcher Kevin Beaumont reported that a Mirai DDoS botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to block attacks from other threat actors.

Microsoft has released an additional guidance with the instructions for users on how to determine if their Cloud and On-Premises deployments have been compromised.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024