Mirai is ludicrously quick to add new exploits to its arsenal. We have seen its authors move fast in the past, but in the case of the critical remote code execution that was discovered in Azure and published a few days back, its inclusion was lightning fast. Maybe the fact that CVE-2021-38647 isn’t hard to exploit played a key role here, or maybe it was its amazing potential for privilege escalation that motivated the hackers. Whatever it is, Mirai has just incorporated yet another powerful key to unlock the door to your network.
Once Mirai is dropped in the vulnerable machine, the OMI SSL port (5896) is shut by the malware so that other hackers won’t be able to exploit it. This is indicative of the competition that goes on in the cybercrime space, as the first to implement such a widely affecting flaw is oftentimes the only one to reap the benefits of exploitation. It’s basically a competition, and malware authors have to get it right before others do. Admins also take part in this race, as they need to patch their vulnerable systems before an exploit is out.
JupiterOne’s Tyler Shields told us:
On systems that can be exploited, Mirai will nest inside while hiding itself as “nginx”, the popular web server. The worm also tries to spread onto other systems in the same network using the OMIGOD set. Researchers of CADO Security who analyzed a sample of the latest Mirai found out that the commands it uses follow an elementary base64 encoding.
To check if your system uses the OMI agent, run the following command on a terminal:
For Debian-based systems: dpkg -l omi
For Redhat-based distributions: rpm -qa omi
If this query comes back positive, you should update the component to the latest version. Microsoft has also published detailed guidance on how to manage and mitigate the associated risk, so make sure to read that carefully and do the needful.