Lucene search

K
thnThe Hacker NewsTHN:F2C870F137774AD856C864F6BBA2D0D4
HistoryNov 03, 2023 - 1:12 p.m.

Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments

2023-11-0313:12:00
The Hacker News
thehackernews.com
71
kinsing
linux flaw
looney tunables
cloud security
credential extraction
web shell
backdoor access

AI Score

8.6

Confidence

High

EPSS

0.975

Percentile

100.0%

Linux Flaw

The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a “new experimental campaign” designed to breach cloud environments.

“Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP),” cloud security firm Aqua said in a report shared with The Hacker News.

The development marks the first publicly documented instance of active exploitation of Looney Tunables (CVE-2023-4911), which could allow a threat actor to gain root privileges.

Cybersecurity

Kinsing actors have a track record of opportunistically and swiftly adapting their attack chains to exploit newly disclosed security flaws to their advantage, having most recently weaponized a high-severity bug in Openfire (CVE-2023-32315) to achieve remote code execution.

The latest set of attacks entails exploiting a critical remote code execution shortcoming in PHPUnit (CVE-2017-9841), a tactic known to be employed by the cryptojacking group since at least 2021, to obtain initial access.

Linux Flaw

This is followed by manually probing the victim environment for Looney Tunables using a Python-based exploit published by a researcher who goes by the alias bl4sty on X (formerly Twitter).

“Subsequently, Kinsing fetches and executes an additional PHP exploit,” Aqua said. “Initially, the exploit is obscured; however, upon de-obfuscation, it reveals itself to be a JavaScript designed for further exploitative activities.”

The JavaScript code, for its part, is a web shell that grants backdoor access to the server, enabling the adversary to perform file management, command execution, and gather more information about the machine it’s running on.

Cybersecurity

The end goal of the attack appears to be to extract credentials associated with the cloud service provider for follow-on actions, a significant tactical shift from the threat actor’s pattern of deploying the Kinsing malware and launching a cryptocurrency miner.

“This marks the inaugural instance of Kinsing actively seeking to gather such information,” security researcher Assaf Morag said.

“This recent development suggests a potential broadening of their operational scope, signaling that the Kinsing operation may diversify and intensify in the near future, thereby posing an increased threat to cloud-native environments.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.