New Blog Post | Hunting for OMI Vulnerability Exploitation with Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2767961%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Hunting%20for%20OMI%20Vulnerability%20Exploitation%20with%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2767961%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AshleyMartin_0-1632158001259.png%22%20style%3D%22width%3A%20719px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311614i103D2C6DB9DF55E1%2Fimage-dimensions%2F719x302%3Fv%3Dv2%22%20width%3D%22719%22%20height%3D%22302%22%20role%3D%22button%22%20title%3D%22AshleyMartin_0-1632158001259.png%22%20alt%3D%22AshleyMartin_0-1632158001259.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fhunting-for-omi-vulnerability-exploitation-with-azure-sentinel%2Fba-p%2F2764093%22%20target%3D%22_blank%22%3EHunting%20for%20OMI%20Vulnerability%20Exploitation%20with%20Azure%20Sentinel%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFollowing%20the%20September%2014%3C%2FSPAN%3E%3CSUP%3Eth%3C%2FSUP%3E%3CSPAN%3E%2C%202021%20release%20of%20three%20Elevation%20of%20Privilege%20(EoP)%20vulnerabilities%20(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-38645%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-38645%3C%2FA%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-38649%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-38649%3C%2FA%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-38648%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-38648%3C%2FA%3E%3CSPAN%3E)%20and%20one%20unauthenticated%20Remote%20Code%20Execution%20(RCE)%20vulnerability%20(%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-38647%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-38647%3C%2FA%3E%3CSPAN%3E)%20in%20the%20Open%20Management%20Infrastructure%20(OMI)%20Framework%2C%20analysts%20in%20the%20Microsoft%20Threat%20Intelligence%20Center%20(MSTIC)%20have%20been%20monitoring%20for%20signs%20of%20exploitation%20and%20investigating%20detections%20to%20further%20protect%20customers.%20Following%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F09%2F16%2Fadditional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMSRC%20guidance%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bto%20block%20ports%20that%20you%20aren't%20using%20and%20to%20ensure%20the%20OMI%20service%20is%20patched%20are%20great%20first%20steps.%20In%20this%20blog%2C%20we%20have%20some%20things%20to%20share%20about%20current%20attacks%20in%20the%20wild%2C%20agents%20and%20software%20involved%2C%20indicators%20for%20defenders%20to%20look%20for%20on%20host%20machines%2C%20and%20to%20share%20new%20detections%20in%20Azure%20Sentinel.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2767961%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

AshleyMartin_0-1632158001259.png

Hunting for OMI Vulnerability Exploitation with Azure Sentinel - Microsoft Tech Community

Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645CVE-2021-38649CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation and investigating detections to further protect customers. Following the MSRC guidance to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this blog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders to look for on host machines, and to share new detections in Azure Sentinel.

0 Replies