THE TIBERIUM BLOG - recent events, threats, and all things cyber

OMG

Last week, cloud security outfit Wiz announced what they called a ‘secret agent’ group of vulnerabilities that enable takeover and privilege escalation of Linux servers in the Azure cloud.  

These have now collectively been called ‘OMIGOD’ which has a logo. We all know that means serious. This is. 

The issue is to do with the automatic installation of a software agent called ‘Open Management Infrastructure’ (OMI – see what they did there) when many popular Azure services are installed. Furthermore, hardly anybody knows they are running, how they run or what they do. 

Over half of Azure services run on Linux instances according to Wiz and if they run any of these tools or services (not an exhaustive list), they are at risk: 

  • Azure Automation 
  • Azure Automatic Update 
  • Azure Operations Management Suite (OMS) 
  • Azure Log Analytics 
  • Azure Configuration Management 
  • Azure Diagnostics 
  • Azure Container Insights

For clarification – OMI is also often installed on on-premise equipment. The risks are massive and need to be taken seriously. Read on. 

This agent is installed as and runs with, Root privileges. Alas, it has 4 serious bugs. This is a biggie. 

As if that were not bad enough, it is now being actively exploited by the Mirai Botnet which has been adapted in short order.  The Mirai Botnet exploits vulnerable home routers and other Internet of Ting Tings devices to be slaves in any number of attacks. The versatility is extraordinary.  

It is estimated that Mirai has between 300,000 and one million compromised devices.  If these are being used to compromise Azure Linux instances, which they are, this is a huge problem. 

Microsoft has released very detailed guidance on mitigation together with patch recommendations. These continue to be updated. 

Our recommendation is that you, or your providers – and it is very important to remember that service providers to your business may be running compromised or vulnerable machines, consider the following actions. It is assumed that the Microsoft guidance will be followed: 

Brief (CISO/CIO) 

Brief the board of potential business impact, effort and cost 

  • Plan to identify, quantify, plan, remediate and report 
  • Check and update incident run book 
  • Publish action plan to customers 

Brief the IT department and potentially all staff. 

Plan (Nominated project manager or technical resource) 

Identify (CIO/IT Team) 

  • Business system risk  
  • Third party risk (essential) 
  • Have you been exploited already – indicators of compromise 

Remediate (Technical teams and third parties) 

Test (Including third parties) 

Report (ALL LEVELS including customers) 

Repeat (This issue is going to run and run)  

This issue is too big to ignore and it is imperative that you address it, immediately. 

If you are a Tiberium customer, you know that our services FROST and MYTHIC are able to identify compromise, report issues and where possible take action.

Frost and Mythic
FROST & MYHTIC

If you are not currently a customer and would like some help, clarification or any other advice, we are here and will advise and support you appropriately. Contact us.

Tiberium is a sponsor of this week’s Alternative Legal IT Conference. If you are going, please look us up and join us for an open discussion. OMIGOD will no doubt be high on the agenda. 

The song OMG is by Usher and features the (to our mind) genius Will.I.Am. Whilst most of the lyrics are very, very dar from the work of Dylan or Paul Simon, and NSFW, it does include this:  

“This one something special, this one just like dynamite” 

Please don’t get blown up. 

Blog subscription banner
Share on: