Data Recovery Digest

The team at Microsoft is used to dealing with their fair share of bugs, but the most recent exploit to affect Microsoft Azure, referred to as OMIGOD, uses an old hacking trick that is one of the easiest in the book. You don’t have to have an advanced degree in computer security or even an intimate knowledge of a computer’s security system. In this case, you don’t even need a password.

In fact, it’s this lack of authentication that is the key to the entire trick. Instead of making guesses at a valid authentication token, using brute force, or relying on another tool in the arsenal, hackers can simply omit the authentication token altogether. Doing so will give the unauthorized user the ability to complete a fraudulent OMI web request without having to verify any credentials whatsoever.

This specific vulnerability affects many different Azure services. Some of the affected services include Automation, Automatic Update, Configuration Management, Log Analytics, Operations Management Suite, and more.

A Unique Problem

In most cases, vulnerabilities like this would be patched nearly instantaneously. However, this case is a little bit different. Instead of patching the issue at a server level – which was done all the way back in August 2021 – this problem requires that individual users download and apply the patch. To make matters even worse is the fact that some users might not even realize they’re at risk.

Tyler Shields, chief marketing officer with JupiterOne, Inc., a cyber asset management company, summarized it best by saying: “To understand their exposure to this vulnerability, enterprises need to know which assets have the OMI management function enabled and ensure that nothing is directly exposed to the internet. You may assume that two or three layers of firewalls protect these assets, but unfortunately, transitive trust relationships among assets can accidentally create a path that an attacker can exploit.”

As illustrated in Shields’ quote, individual users might not even be aware that they have OMI installed. This is due to the fact that OMI is often automatically installed on a user’s system when downloading other Azure-related apps.

It’s More Widespread Than You Think

But the problem isn’t limited to Microsoft Azure and cloud environments. In some cases, OMI is used on Linux installations for on-premises servers. Although the platform is different, any potential consequences are the very much the same.

Once the fraudulent OMI web request is completed, the hacker can easily gain root privileges, which can then be used to execute malicious code or launch various cyberattacks – including ransomware and mass file encryption. As we’ve learned in past ransomware attacks, restoring full access to an affected system is never guaranteed – even if the ransom is paid in full.

According to the research team at Wiz: “Azure customers on Linux machines – which account for over half of all Azure instances according to Microsoft – are at risk if they use any of the following services / tools: Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, Azure Diagnostics, and] Azure Container Insights.”