Researchers from the cloud security firm Aqua have detected threat actors exploiting the recently uncovered Linux privilege escalation flaw known as Looney Tunables (CVE-2023-4911) in attacks targeting cloud environments. The flaw, a buffer overflow issue, resides in the GNU C Library’s dynamic loader ld.so during the processing of the GLIBC_TUNABLES environment variable. This vulnerability allows an attacker to execute code with elevated privileges.
The Kinsing threat actors have been seen probing this vulnerability in experimental incursions into cloud environments. Despite using a simple PHPUnit vulnerability exploit, the attackers have attempted to manipulate the Looney Tunables flaw. This is the first recorded instance of such an exploit, according to the Aqua firm.
The Kinsing actors are broadening their attack scope by extracting credentials from the Cloud Service Provider (CSP). This suggests that these actors are quickly incorporating new exploits into their toolkit, thereby increasing the potential range of targets. Recently, these actors were seen exploiting vulnerable Openfire servers.
Historically, the Kinsing actors have exploited the PHPUnit vulnerability (CVE-2017-9841) and engaged in fully automated attacks for the purpose of mining cryptocurrency. However, with this recent discovery, researchers have observed Kinsing conducting manual tests, marking a deviation from their typical operations.
The attackers were seen using a Python-based Linux local privilege escalation exploit published by the researcher bl4sty. The exploit targets the Looney Tunables vulnerability (CVE-2023-4911) in GNU libc’s ld.so. The exploit is based on the exploitation methodology detailed in the Qualys writeup, and is compatible with x86(_64) and aarch64 architectures.
According to security researcher Assaf Morag, this is the first instance of Kinsing actively seeking to gather such information. The report concludes that Kinsing is expanding its operations by trying to collect credentials from CSPs, indicating a potential broadening of their operational scope and an increased threat to cloud-native environments.