Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments
4.11.23  Vulnerebility  The Hacker News

The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments.

"Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP)," cloud security firm Aqua said in a report shared with The Hacker News.

The development marks the first publicly documented instance of active exploitation of Looney Tunables (CVE-2023-4911), which could allow a threat actor to gain root privileges.

Kinsing actors have a track record of opportunistically and swiftly adapting their attack chains to exploit newly disclosed security flaws to their advantage, having most recently weaponized a high-severity bug in Openfire (CVE-2023-32315) to achieve remote code execution.

The latest set of attacks entails exploiting a critical remote code execution shortcoming in PHPUnit (CVE-2017-9841), a tactic known to be employed by the cryptojacking group since at least 2021, to obtain initial access.


This is followed by manually probing the victim environment for Looney Tunables using a Python-based exploit published by a researcher who goes by the alias bl4sty on X (formerly Twitter).

"Subsequently, Kinsing fetches and executes an additional PHP exploit," Aqua said. "Initially, the exploit is obscured; however, upon de-obfuscation, it reveals itself to be a JavaScript designed for further exploitative activities."

The JavaScript code, for its part, is a web shell that grants backdoor access to the server, enabling the adversary to perform file management, command execution, and gather more information about the machine it's running on.

The end goal of the attack appears to be to extract credentials associated with the cloud service provider for follow-on actions, a significant tactical shift from the threat actor's pattern of deploying the Kinsing malware and launching a cryptocurrency miner.

"This marks the inaugural instance of Kinsing actively seeking to gather such information," security researcher Assaf Morag said.

"This recent development suggests a potential broadening of their operational scope, signaling that the Kinsing operation may diversify and intensify in the near future, thereby posing an increased threat to cloud-native environments."