Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments

Linux Flaw

The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a “new experimental campaign” designed to breach cloud environments.

“Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP),” cloud security firm Aqua said in a report shared with The Hacker News.

The development marks the first publicly documented instance of active exploitation of Looney Tunables (CVE-2023-4911), which could allow a threat actor to gain root privileges.

Kinsing actors have a track record of opportunistically and swiftly adapting their attack chains to exploit newly disclosed security flaws to their advantage, having most recently weaponized a high-severity bug in Openfire (CVE-2023-32315) to achieve remote code execution.

The latest set of attacks entails exploiting a critical remote code execution shortcoming in PHPUnit (CVE-2017-9841), a tactic known to be employed by the cryptojacking group since at least 2021, to obtain initial access.

Linux Flaw

This is followed by manually probing the victim environment for Looney Tunables using a Python-based exploit published by a researcher who goes by the alias bl4sty on X (formerly Twitter).

“Subsequently, Kinsing fetches and executes an additional PHP exploit,” Aqua said. “Initially, the exploit is obscured; however, upon de-obfuscation, it reveals itself to be a JavaScript designed for further exploitative activities.”

The JavaScript code, for its part, is a web shell that grants backdoor access to the server, enabling the adversary to perform file management, command execution, and gather more information about the machine it’s running on.

The end goal of the attack appears to be to extract credentials associated with the cloud service provider for follow-on attacks, a significant tactical shift from its pattern of deploying the Kinsing malware and launching a cryptocurrency miner.

“This marks the inaugural instance of Kinsing actively seeking to gather such information,” the company said.

“This recent development suggests a potential broadening of their operational scope, signaling that the Kinsing operation may diversify and intensify in the near future, thereby posing an increased threat to cloud-native environments.”



Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.