Over the past several months, Radware researchers have been monitoring the ongoing evolution of the Mirai variant campaign known as Dark.IoT. In August, we reported [1] that the operators behind the botnet had begun leveraging a vulnerability, CVE-2021-35395, in Realtek's SDK only a week after it was disclosed. This month, the operators of Dark.IoT integrated two new exploits in their most recent malware binaries.
CVE-2021-38647, also known as OMIGOD, was disclosed [2] by the Wiz Research Team on September 14 and is an unauthenticated Remote Code Execution vulnerability affecting more than half of all Microsoft Azure cloud instances. The second, CVE-2021-33544, was disclosed [3] in July of 2021 by RandoriSec and is a command injection vulnerability that impacts about a dozen IP camera manufacturers who use firmware by UDP Technology.
Read the Complete Alert
Background
In August of 2021, Radware Research reported [1] that a Mirai variant campaign known as Dark.IoT had begun leveraging a vulnerability in Realtek's SDK a week after its disclosure. Both Palo Alto Networks and Juniper Threat Labs reported [4] [5] seeing the operators behind Dark.IoT leveraging recently disclosed exploits within days, and in one case, within hours of publication. All three security firms, who are members of the Cyber Threat Alliance, agreed that the operators would continue to rapidly leverage recently disclosed vulnerabilities in an attempt to capture more vulnerable devices.
Radware is now reporting that the operators behind Dark.IoT again updated their binaries to include two new exploits. One of the new exploits allows Dark.IoT to move beyond IoT devices with constrained resources to capable Linux servers hosted in Azure clouds. Malicious actors targeting Linux cloud instances would typically leverage them for cryptomining operations. The Dark.IoT campaign, however, is aimed exclusively at leveraging infected instances for DDoS attacks. At the time of publication, the only payload embedded in the dropped malware binaries leveraging OMIGOD were the previously reported [1], well-known DDoS attack vectors.
OMIGOD VULNERABILITY
On September 14, 2021, the Wiz Research Team disclosed [2] a series of critical vulnerabilities affecting the Azure Open Management Infrastructure (OMI) agent. The OMI agent is deployed automatically in Linux instances when Azure customers enable certain Azure services, without their knowledge. Wiz named the quartet of zero-days “OMIGOD.” They conservatively estimated that thousands of Azure customers and millions of endpoints could be affected. In the small sample of Azure tenants they analyzed, over 65% were unknowingly at risk.
Microsoft issued CVEs for OMIGOD and made a patch available to customers during their September, 2021 Patch Tuesday release:
Microsoft updated its advisory [10] on September 18, announcing an auto-update for their PaaS service offerings that use vulnerable VM extensions by September 22, 2021. Microsoft also clarified which instances will still require manual patching.
The Wiz Research Team blog includes all information needed to weaponize the vulnerability. The first Python based proof-of-concept was published on Github by September 15, 2021.
The operators behind the Dark.IoT botnet demonstrated their ability to leverage and test recently disclosed vulnerabilities quickly. In some cases, the operators have been able to incorporate exploits within hours of publication. With the most recent updates to the Dark.IoT botnets, Radware’s deception network recorded OMIGOD exploits carrying the Dark.IoT signature (“Agent-Header: Dark”) starting September 15, 2021, only a few hours after the proof of concept was made public.