Cloud Security, Cloud Security

Researchers document attacks on Azure OMI and the Atlassian Confluence OGNL

The Microsoft logo is illuminated at its booth at the GSMA Mobile World Congress 2019 on Feb. 26, 2019, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Researchers on Wednesday reported on Wednesday a sharp increase in the number of attackers trying to exploit the Azure Open Management Infrastructure (OMI) vulnerability over a 45-day period in August and September.

In a blog post, Barracuda researchers also pointed out attacks on the Atlassian Confluence OGNL injection, but security researchers said the attacks were primarily on the on-premises option and not the Atlassian Confluence Cloud.

Overall, the researchers found spikes in attacks on the two vulnerabilities coming from more than 500 unique attacker IP addresses.

Microsoft released CVE-2021-38647 on Sept. 15. The vulnerability to Azure OMI — dubbed OMIGOD — is a software agent that’s silently pre-installed and deployed within cloud environments. The Barracuda researchers said this silent installation has put Azure customers at risk until they update their systems to the latest version of OMI. The Confluence OGNL injection vulnerability that lets threat actors inject Java code into servers — CVE-2021-26084 — was first published by Atlassian on Aug. 25 and should also be patched.

As enterprises continue to migrate their services to the cloud, the upstream attack surface created by this reliance is not readily known or auditable, said Vishal Jain, co-founder and CTO at Valtix. OMIGOD highlights the technical vacuum within organizations as many security teams and IT practitioners had never before heard of Azure OMI.

“It may have started with botnets and cryptominers, but it’s likely that more advanced threats will look to leverage similar vulnerabilities that impact cloud services at scale,” Jain said. “And that’s precisely why a layered defense is so important. Segmenting workloads, restricting unnecessary access, and implementing intrusion prevention are all of the basics that are just as relevant in the cloud as on-premises.”

Archie Agarwal, founder and CEO at ThreatModeler, also said that the Azure OMI vulnerability poses an interesting case because this service — intended to enable logging or management functionality — was nearly unknown. Agarwal added that what makes Azure OMI so pernicious is that with a specially crafted request, attackers can remotely exploit it with potential escalation to root privilege.

“This potentially left a gaping hole for remote code execution that is no way the fault of Azure customers and very shortly after the details were released this was being exploited in an automated fashion via botnets,” Agarwal said. “It’s incredibly difficult to protect against vulnerable services that are being automatically installed by the cloud providers themselves. As I mentioned, this particular service was almost unknown and the fact it runs with root privileges is very worrying indeed.”

Jayant Shukla, co-founder and CTO at K2 Cyber Security, explained that remote code execution (RCE) remains one of the most dangerous exploits in the cybercriminal arsenal. RCE lets criminals run what they want on the server they exploit — some of the largest data breaches started with an RCE attack, Shukla said.

“Azure OMI shows the pitfalls of command tunneling, even though such capabilities are a necessity for cloud management interfaces," Shukla said. “Cloud-based applications and APIs have always faced problems with access control. Permitting command execution capability without a stringent and robust access control will lead to exploitable vulnerabilities as is the case here.”


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.