HQ/EMEAFind out how we can help your business
The Kinsing hackers are attempting to exploit a newly discovered Linux privilege escalation vulnerability known as Looney Tunables in a novel experimental campaign to infiltrate cloud environments.
Based on reports, these attackers are expanding their cloud-native attack tactics by extracting credentials from Cloud Service Providers (CSPs). This incident is the first documented exploit of Looney Tunables (CVE-2023-4911) in the wild, potentially granting threat actors root privileges on the infected device.
Kinsing actors are notorious for quickly adapting their attack techniques to abuse newly disclosed security vulnerabilities. In their latest attack, the threat group exploits a critical remote code execution vulnerability in PHPUnit (CVE-2017-9841), a tactic previously associated with a cryptojacking group since at least 2021. The vulnerability allegedly allowed the Kinsing operators to acquire initial access.
The Kinsing threat actors utilise this vulnerability to hunt for the new Looney Tunables flaw in the infected cloud environment.
The Kinsing attackers manually search the victim’s environment for Looney Tunables using a Python-based exploit created by a researcher called “bl4sty.”
Subsequently, Kinsing proceeds to obtain and run an additional PHP exploit. Initially, the attack process obfuscates the exploit, but upon de-obfuscation, the operation reveals it as a JavaScript code designed for further exploitative actions.
This JavaScript code serves as a web shell that could provide the attackers with backdoor access to the server, granting them the ability to perform tasks such as file management, command execution, and information harvesting about the compromised machine.
The main objective of these attacks appears to be extracting credentials associated with the cloud service provider. This detail proves that the attacks have significantly shifted their tactics from their previous pattern of deploying Kinsing malware and launching cryptocurrency miners.
Furthermore, a separate security research noted that this development signifies a potential expansion of their operational scope, indicating that the Kinsing operation may soon diversify and intensify, posing an increased threat to cloud-native environments.
The cloud environment admins should be cautious about these threats and address the newly discovered vulnerability immediately since some threat actors, especially the Kinsing threat actors, quickly exploit them.
