We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Exploit:Linux/CVE-2021-38647.B!dha
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat indicates that attackers have been using the remote code execution (RCE) vulnerability, CVE-2021-38647 in the open management interface (OMI) framework. Also referred to as OMIGOD, attackers exploiting this vulnerability could launch arbitrary remote commands with root privileges on vulnerable devices.
Note: This RCE vulnerability impacts only customers using a Linux management solution, such as on-premises system center operations manager (SCOM), Azure Automation State Configuration, or Azure Desired State Configuration extension that enables remote OMI management.
To learn how to mitigate these attack scenarios, read the following blogs:
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
Recommendations for immediate action
- Update vulnerable extensions for cloud and on-premises deployments as the updates become available. For cloud deployments with auto update turned on, Microsoft will actively deploy the updates to extensions. Hence, where possible ensure that automatic extension updates are enabled.
- To identify the affected extensions, you can leverage Azure Portal or Azure CLI as described in this article. OMI agents older than version 1.6.8.1 are vulnerable. Fixed version can be installed as per these instructions.
- If updates be installed, ensure that VMs are deployed within a network security group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports TCP 5985, 5986, and 1270. On most Linux distributions, the command 'netstat -an | grep <port-number>' indicate if any process listening on <port-number>.
Additional recomendations
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
