- Mirai was quick to add the recently disclosed critical RCE that affects almost half of all Azure deployments.
- The botnet attempts to hide as “nginx” and shuts the OMI port to prevent other malware from taking over.
- The fixing patch was released ten days ago, so there are still too many vulnerable unpatched systems out there.
Mirai is ludicrously quick to add new exploits to its arsenal. We have seen its authors move fast in the past, but in the case of the critical remote code execution that was discovered in Azure and published a few days back, its inclusion was lightning fast. Maybe the fact that CVE-2021-38647 isn’t hard to exploit played a key role here, or maybe it was its amazing potential for privilege escalation that motivated the hackers. Whatever it is, Mirai has just incorporated yet another powerful key to unlock the door to your network.
Once Mirai is dropped in the vulnerable machine, the OMI SSL port (5896) is shut by the malware so that other hackers won’t be able to exploit it. This is indicative of the competition that goes on in the cybercrime space, as the first to implement such a widely affecting flaw is oftentimes the only one to reap the benefits of exploitation. It’s basically a competition, and malware authors have to get it right before others do. Admins also take part in this race, as they need to patch their vulnerable systems before an exploit is out.
JupiterOne’s Tyler Shields told us:
I'm not surprised that we are now experiencing the active exploitation of this vulnerability. Anytime that a cloud-centric issue can be exploited from a remote position, the attack is ripe for automated discovery and attacks. While I am sure there are a lot of directed attacks at certain companies, I'm going to take an educated guess and say that much of this is automated scanning looking for opportunities of chance.
On systems that can be exploited, Mirai will nest inside while hiding itself as “nginx”, the popular web server. The worm also tries to spread onto other systems in the same network using the OMIGOD set. Researchers of CADO Security who analyzed a sample of the latest Mirai found out that the commands it uses follow an elementary base64 encoding.
To check if your system uses the OMI agent, run the following command on a terminal:
For Debian-based systems: dpkg -l omi For Redhat-based distributions: rpm -qa omi
If this query comes back positive, you should update the component to the latest version. Microsoft has also published detailed guidance on how to manage and mitigate the associated risk, so make sure to read that carefully and do the needful.