Threat actors have started to actively exploit critical Microsoft Azure vulnerabilities, just days after Microsoft disclosed them during September’s Patch Tuesday.

The OMIGOD flaw, CVE-2021-3864, was discovered by the Wiz Research Team, and found in the Open Management Infrastructure (OMI) software agent embedded in a range of popular Azure devices.

New data suggests Mirai botnet operators are scanning the web for Azure Linux virtual machines. Security researcher Germán Fernández first spotted the finding. Bad Packets and GreyNoise, security firms, confirmed ten malicious servers were scanning the internet for vulnerable servers, quickly growing to more than 100. 

Oliver Tavakoli, CTO at Vectra, notes, “Immediately upon disclosure of a vulnerability, particularly a critical one which allows remote code execution with root privileges, it is always a race against the clock to mitigate/patch vs. getting exploited. This vulnerability is valuable enough to an attacker to go to the top of the list of anyone who is targeting assets organizations hold in Azure.”

Digital forensics company Cado Security analyzed the botnet malware and found that Mirai hides as a legitimate web server and then “closes the ports of the vulnerabilities it exploited to stop other botnets taking over the system.”

Stuart Winter-Tear, Director of Strategy at ThreatModeler, says, “The race is on. As this is now confirmed as being actively scanned and exploited in an automated fashion via botnets, and we know there is the potential for root privilege remote code execution, any open OMI ports must be closed as soon as possible, and Azure mitigation guidelines need to be implemented.”

Microsoft Threat Intelligence Center (MSTIC), which has been monitoring for signs of exploitation and investigating detections, says they have seen several active exploitation attempts ranging from basic host enumeration (running unameidps commands) to attempts to install a cryptocurrency miner or file share. And, due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, MSTIC is anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.).

The only surprise here is that attackers waited as long as they did before launching attacks to compromise this, says John Bambenek, Principal Threat Hunter at Netenrich. “Security professionals and cloud teams should block OMI ports and patch immediately. The fact that so few did so immediately means I’m never going to be able to retire.”