Kinsing Threat Actors Exploit Looney Tunables Flaw in Cloud Environments
November 4, 2023
Researchers from the cloud security firm Aqua have detected threat actors exploiting the recently uncovered Linux privilege escalation flaw known as Looney Tunables (CVE-2023-4911) in attacks targeting cloud environments. The flaw, a buffer overflow issue, resides in the GNU C Library’s dynamic loader ld.so during the processing of the GLIBC_TUNABLES environment variable. This vulnerability allows an attacker to execute code with elevated privileges.
The Kinsing threat actors have been seen probing this vulnerability in experimental incursions into cloud environments. Despite using a simple PHPUnit vulnerability exploit, the attackers have attempted to manipulate the Looney Tunables flaw. This is the first recorded instance of such an exploit, according to the Aqua firm.
The Kinsing actors are broadening their attack scope by extracting credentials from the Cloud Service Provider (CSP). This suggests that these actors are quickly incorporating new exploits into their toolkit, thereby increasing the potential range of targets. Recently, these actors were seen exploiting vulnerable Openfire servers.
Historically, the Kinsing actors have exploited the PHPUnit vulnerability (CVE-2017-9841) and engaged in fully automated attacks for the purpose of mining cryptocurrency. However, with this recent discovery, researchers have observed Kinsing conducting manual tests, marking a deviation from their typical operations.
The attackers were seen using a Python-based Linux local privilege escalation exploit published by the researcher bl4sty. The exploit targets the Looney Tunables vulnerability (CVE-2023-4911) in GNU libc’s ld.so. The exploit is based on the exploitation methodology detailed in the Qualys writeup, and is compatible with x86(_64) and aarch64 architectures.
Once the attackers de-obfuscate a JavaScript, they design it to create a web shell backdoor that allows further unauthorized access to the server. The Kinsing threat actors then attempt to enumerate the details and credentials associated with the CSP to conduct further malicious activities. The types of credentials and sensitive data that can be compromised include Temporary Security Credentials, IAM Role Credentials, and Instance Identity Tokens.
According to security researcher Assaf Morag, this is the first instance of Kinsing actively seeking to gather such information. The report concludes that Kinsing is expanding its operations by trying to collect credentials from CSPs, indicating a potential broadening of their operational scope and an increased threat to cloud-native environments.
Related News
- Looney Tunables: Exploits Released for Linux Local Privilege Escalation Vulnerability
- Major Linux Distributions Vulnerable to Severe glibc Privilege Escalation Flaw
Latest News
- Critical Atlassian Confluence Vulnerability Exploited in Cerber Ransomware Attacks
- TellYouThePass Ransomware Exploits Apache ActiveMQ RCE Vulnerability
- QNAP Addresses Two Critical Vulnerabilities in QTS OS and Applications
- QNAP Issues Warning on Critical Command Injection Vulnerabilities in QTS OS and Apps
- Okta Confirms Breach Impacting 134 Companies
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.