OMIGOD vulnerabilities / Apple fixed newest 0-day / Windows Subsystem for Linux

Welcome to Security Center – our weekly update on the most devastating cyberattacks, high-severity vulnerabilities, and biggest data leaks – precisely selected by our editors.

Don’t miss it out! Sign up now and have it delivered to your inbox each Monday to start a week safe and sound. Additionally, you will receive a portion of the hottest company news and access to selected technical articles written by our experts with advice and tricks for more effective protection of your IT infrastructure.

In the meantime, let’s check what happened in the cyber-world last week.

OMIGOD: Azure users warned of critical OMI vulnerabilities

Microsoft patched four vulnerabilities in Open Management Infrastructure (OMI), a widely used but little-known software agent embedded in many commonly used Azure services. Flaws collectively dubbed OMIGOD include remote code execution bug CVE-2021-38647 and privilege escalation vulnerabilities CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649.

These vulnerabilities affect several different services within Azure that silently use OMI, such as Azure Automation, Azure Automatic Update, Azure Operations Management Suite, Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics.

What is the OMI? It is an open-source UNIX/Linux equivalent of Windows Management Instrumentation (WMI) that is deployed on many Linux virtual machines in Azure, enabling users to manage configurations across remote and local environments and collect statistics. When an organization sets up a Linux virtual machine (VM) in its cloud and enables any of these services, OMI is silently installed on its VM and runs at the highest privilege.

Fix(it)? OMI is updated through the Azure service that installed it. Users should urgently verify that their environment is patched and that they’re running the latest version of OMI, Extra caution is required. While OMI itself has been updated, it seems the Azure services still need an update. Right now they still deploy vulnerable OMIs when services are enabled on new machines.


Apple issues urgent updates to fix new zero-day linked to Pegasus spyware

Apple has released iOS 14.8, iPadOS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and Safari 14.1.2 to fix two actively exploited vulnerabilities. The first one – CVE-2021-30858 (WebKit) – could result in arbitrary code execution when processing maliciously crafted web content. The flaw has been addressed with improved memory management. And the second – CVE-2021-30860 (CoreGraphics) – could lead to arbitrary code execution when processing a maliciously crafted PDF document. The bug has been remediated with improved input validation. Apple iPhone, iPad, Mac, and Apple Watch users are advised to immediately update their software to mitigate any potential threats arising out of active exploitation of the flaws.

Possible threats. The updates arrive weeks after researchers revealed details of a zero-day exploit called “FORCEDENTRY” (aka Megalodon). Besides being triggered simply by sending a malicious message to the target, FORCEDENTRY is also notable for the fact that it expressly undermines a new software security feature called BlastDoor that Apple baked into iOS 14 to prevent zero-click intrusions by filtering untrusted data sent over iMessage.


New malware uses Windows Subsystem for Linux for stealthy attacks

Security researchers have discovered malicious Linux binaries created for the Windows Subsystem for Linux (WSL), indicating that hackers are trying out new methods to compromise Windows machines.

Right now researchers believe that the code is still being developed. Less than a month ago, one of the malicious Linux files was detected by just one antivirus engine on VirusTotal. Refreshing the scan on another sample showed that it went completely undetected by the engines on the scanning service. One of the variants, written completely in Python 3, does not use any Windows API and seems to be the first attempt at a loader for WSL. It uses standard Python libraries, which makes it compatible with both Windows and Linux. Another “ELF to Windows” loader variant relied on PowerShell to inject and execute the shellcode. One of these samples used Python to call functions that killed the running antivirus solution, established persistence on the system, and run a PowerShell script every 20 seconds.


More IT security must-reads

  1. WhatsApp’s End-to-End Encryption Isn’t Actually Broken (Threat Post)
  2. Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers (Imperva Blog)
  3. Google patches two Chrome zero-days (ZDNet)
  4. Popular NPM package Pac-Resolver affected by a critical flaw (Security Affairs)
  5. Serious Flaw Found in HP OMEN Driver (Infosecurity Magazine)
  6. Vermilion Strike, a Linux implementation of Cobalt Strike Beacon used in attacks (Security Affairs)
  7. Ransomware gang threatens to wipe decryption key if negotiator hired (Bleeping Computer)
  8. Patch now! PrintNightmare over, MSHTML fixed, a new horror appears … OMIGOD (Malwarebytes Lab)
  9. Microsoft rolls out passwordless login for all Microsoft accounts (Bleeping Computer)