Wiz researchers, who discovered a series of four flaws in Azure’s Open Management Infrastructure (OMI) agent, called OMIGOD, provided relevant information at an RSA conference: Almost all cloud service providers install similar software without customers’ knowledge of it or without their explicit consent.
In a blog post accompanying the presentation, Wiz’s Nir Aufield and Cher Tamari explain that proxies are middleware that connects clients’ virtual machines to other provider-managed services. Agents are needed to enable advanced VM features such as log collection, automatic updating, and configuration synchronization, but they also add new potential attack surfaces that are impossible to defend because clients are unaware of them.
In the case of OMIGOD, it was a bug with a CVSS score of 9.8/10 that allowed the attacker to gain root access and execute code remotely. Microsoft fixed the vulnerabilities, but most of them had to be applied manually. It can be exploited for administrative control of a vulnerable device on the network, without authentication or other verification.
This vulnerability requires no user intervention or privilege, so an attacker can run their code on an affected system simply by sending a special message to an affected system, the Zero-Day Dustin Childs Initiative warned. OMI users should test and publish this soon.
To immediately address the rising risks of cloud computing middleware, Wiz has launched a community-driven GitHub page to map all proxy cloud providers installed on clients’ machines, as well as the additional attack surface they offer. Ohfield and Tamari said it’s possible, based on our survey, that there are more factors that security researchers and cloud customers don’t know about.
Here are some of these agents that have been secretly installed according to Wiz:
- hidden google accounts program, Cloud Provider: Google Cloud Platform;
- OSConfig Agent from Google, Cloud Provider: Google Cloud Platform;
- google guest agent, Cloud Provider: Google Cloud Platform;
- Infrastructure for Open Management (IMO), Cloud Provider: Azure;
- Microsoft Azure Guest Agent (WALinuxAgent), Cloud Provider: Azure;
- Operations Management Group (OMS), Cloud Provider: Azure;
- AWS Systems Management Agent (SSM Agent), Cloud Provider: AWS;
- AWS PV Drivers, Cloud Provider: AWS;
- AWS ECS Container Agent, Cloud Provider: AWS.
Trend Micro’s survey results indicate that when it comes to organizations that understand their attack surfaces, most don’t. In all, 73% of the 6,297 IT and business decision-makers surveyed said they were concerned about the growth of their attack vulnerability surface, which only 51% said they could fully define.
Just over a third of respondents said their security infrastructure was “chaotic and ever-changing,” while 43% admitted their attack surface was out of control, according to Trend Micro. Cloud computing environments have been cited as the most obscure, and since most vendors install secret middleware, it’s easy to see why.
Bharat Mistry, chief technology officer at Trend Micro, said the rapid upgrading of IT at the start of the COVID-19 pandemic is a big reason for today’s attack surface visibility issues. In many cases, he said, IT upgrades inadvertently expanded the scope of the digital attack, giving threat actors more opportunities to take advantage of key assets.
The study also provides a series of reasons why visibility has not improved, such as opaque supply chains, parallel IT services, remote employees, and ongoing technical changes to vendor products, among others. Private sector groups and cyber advocacy groups issued a joint statement on Tuesday calling for increased cooperation between the public and private sectors to improve cybersecurity preparedness in the country.
They issued a joint statement calling for increased cooperation between the public and private sectors to improve the country’s preparedness for cybersecurity. Minister Chertoff, a member of the Steering Committee of the Multilateral Cyber Action Committee (MCAC), the organization that led the coordination of this statement, said:
MCAC is a global committee focused on improving cybersecurity for a secure and open internet and wants to pursue a deep partnership between the public and private sectors. In the United States, we believe the joint statement underscores the current successes of the Joint Cyber Defense Collaboration, as well as its need for continued growth and development. We are determined to achieve this.
Effective engagement requires collaboration and leadership by the public and private sectors to address issues such as the Solar Winds supply chain attack, log4J vulnerabilities, cybercriminal software, and threats from Russia and malicious nation-state actors. The signatories seek to build on existing initiatives to deepen public-private partnerships. Mark Montgomery, CEO of
The Solarium 2.0 Committee on Cyberspace said: The Solarium Committee has always emphasized that effective deterrence in cyberspace is a three-legged stool, dependent on investments in defense capabilities, investments in cost-enforcement capabilities, which is the most difficult, establishing public-private cooperation to defend infrastructures our vitality. We advocate that this specific national security challenge be addressed through these five initiatives.
The group of organizations is committed to improving collaboration between the public and private sectors and actively seeks to engage US government partners to generate ideas and initiatives to build national cyber resilience. They seek to help the public and private sectors increase the impact of collaborative efforts such as the Joint Cyber Defense Collaborative (JCDC), among others, through a combination of outreach, capacity building, and scaling up. General Joseph L. Votel, USA (Ret.), President and CEO of National Security Executives Business says:
Public-private cooperation has never been more important to defending American interests in cyberspace. Only the perfect integration of the best technology, the best talent, and the best processes from business, government, and the military can successfully fend off the constant onslaught of our adversaries.
The recommendations advocated by the MCAC are closely aligned with the mission of the Coalition for Medium Cyber Excellence (CMCE). Middle-market companies struggling with cybersecurity are underrepresented in the government landscape and in political debates. Expanding existing public-private collaborations is an important step to help ensure the safety of midmarket companies that are critical to the country’s critical infrastructure, said Emily Coyle, executive director of the Coalition for Midmarket Cyber Excellence.
Sources: Wiz (1, 2), CACM
What do you think about it?
France chose Google and Microsoft to protect sensitive data, Bruno Le Maire, Amlie de Montchalin and Cdric O presented the National Cloud Strategy
Microsoft revises software and cloud licensing policies amid review by EU authorities and following complaint from OVHcloud and Nextcloud
AMD and Microsoft continue their collaboration in the cloud by certifying the AMD Instinct MI200 accelerators, for large-scale AI training in Microsoft Azure
Startup Lonestar announces its plan to bury a server farm on the Moon, to save humanity’s memory there that would be less safe on Earth