Kinsing Threat Actors Exploit Looney Tunables Flaw in Cloud Environments

November 4, 2023

Researchers from the cloud security firm Aqua have detected threat actors exploiting the recently uncovered Linux privilege escalation flaw known as Looney Tunables (CVE-2023-4911) in attacks targeting cloud environments. The flaw, a buffer overflow issue, resides in the GNU C Library’s dynamic loader ld.so during the processing of the GLIBC_TUNABLES environment variable. This vulnerability allows an attacker to execute code with elevated privileges.

The Kinsing threat actors have been seen probing this vulnerability in experimental incursions into cloud environments. Despite using a simple PHPUnit vulnerability exploit, the attackers have attempted to manipulate the Looney Tunables flaw. This is the first recorded instance of such an exploit, according to the Aqua firm.

The Kinsing actors are broadening their attack scope by extracting credentials from the Cloud Service Provider (CSP). This suggests that these actors are quickly incorporating new exploits into their toolkit, thereby increasing the potential range of targets. Recently, these actors were seen exploiting vulnerable Openfire servers.

Historically, the Kinsing actors have exploited the PHPUnit vulnerability (CVE-2017-9841) and engaged in fully automated attacks for the purpose of mining cryptocurrency. However, with this recent discovery, researchers have observed Kinsing conducting manual tests, marking a deviation from their typical operations.

The attackers were seen using a Python-based Linux local privilege escalation exploit published by the researcher bl4sty. The exploit targets the Looney Tunables vulnerability (CVE-2023-4911) in GNU libc’s ld.so. The exploit is based on the exploitation methodology detailed in the Qualys writeup, and is compatible with x86(_64) and aarch64 architectures.

Once the attackers de-obfuscate a JavaScript, they design it to create a web shell backdoor that allows further unauthorized access to the server. The Kinsing threat actors then attempt to enumerate the details and credentials associated with the CSP to conduct further malicious activities. The types of credentials and sensitive data that can be compromised include Temporary Security Credentials, IAM Role Credentials, and Instance Identity Tokens.

According to security researcher Assaf Morag, this is the first instance of Kinsing actively seeking to gather such information. The report concludes that Kinsing is expanding its operations by trying to collect credentials from CSPs, indicating a potential broadening of their operational scope and an increased threat to cloud-native environments.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.