Microsoft Offers More Info on MSHTML and OMI Security Holes
Microsoft recently offered more information about two different security vulnerabilities addressed in last week's "update Tuesday" patch release.
Its security teams described attack scenarios associated with a "Critical" vulnerability in Open Management Infrastructure (OMI) in Azure virtual machine management extensions, plus steps for organizations to take. The teams also provided added details on an "Important" vulnerability in the MSHTML Internet Explorer Trident engine associated with Microsoft Office documents and phishing attempts, providing some tooling advice.
MSHTML Used for Targeted Ransomware Attacks
The MSHTML vulnerability was getting exploited by attackers aiming to inject Cobalt Strike command and control software, starting as early as Aug. 18, with the aim of installing human-controlled ransomware. It was a small campaign, with "less than 10" attacks seen. The attack campaign was first observed by security researchers at Mandiant.
RiskIQ, a security solutions company owed by Microsoft, also tracked the MSHTML exploit attempts. RiskIQ researchers suggested that the MSHTML-based attacks may have been coming from a "ransomware syndicate known as WIZARD SPIDER," according to this blog post. The attackers possibly sought to carry out financial crimes or espionage, RiskIQ indicated.
These attackers targeted a small number of people using an e-mailed phishing lure that purported to seek the help of a mobile application developer. A later attack phase starting on Sept. 1 switched tactics and used fake e-mails purporting to come from a small claims court.
Microsoft saw a spike in use of the MSHTML vulnerability after "a third-party researcher" shared a sample of attack code with Mandiant. That coincidence elicited the dry comment from Microsoft that it is working "to deconflict testing from actual exploitation."
Organizations can apply the security update for the MSHTML vulnerability (CVE-2021-40444), plus other September fixes, to ward off possible attacks. Automatic update should be turned on, Microsoft recommended.
Microsoft also advised blocking "all Office applications from creating child processes," which can be done using its attack surface reduction rules.
For users of the Microsoft Defender Antivirus product and the Microsoft Defender for Endpoint product, the announcement included a bulleted list of steps to take. Also included in Microsoft's advice were advanced hunting tips for Microsoft 365 Defender and Azure Sentinel users.
OMI in Azure Targeted by Botnets
Microsoft also last week clarified the steps to take to protect against Azure OMI vulnerabilities with "additional guidance" beyond just applying the September patches.
The September patches will only protect newly created Azure virtual machines, noted Will Dormann, a vulnerability Analyst at the CERT/CC, in this Twitter thread. "Existing VMs will require manual user interaction to add the MSRepo," Dormann added.
The vulnerabilities in OMI Linux open source software used across Azure were first noticed by security solutions company Wiz, which dubbed them "OMIGOD." Microsoft only began getting its Azure services patched and updated on Sept. 17, according to the Wiz's chronology. Exploit attempts are currently ongoing from distributed denial-of-service botnets and cryptominers, Wiz indicated.
Microsoft noted that "all OMI versions below v1.6.8-1 are vulnerable," although, since Microsoft oversees Azure infrastructure, organizations using its services likely aren't aware of such details. Microsoft's announcement did say that "all customers that are impacted will be notified directly," but it also listed some actions that organizations can take.
Organizations can scan for vulnerable virtual machines using the scanner tool and script listed by Microsoft. Organizations will have to update vulnerable extensions when updates become available for specific Azure services. In the meantime, Microsoft recommended "ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1270)."
For Azure Sentinel users, Microsoft described how to hunt for the OMI vulnerabilities in this announcement. There's also guidance on using Azure Security Center.
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.