The cybercriminal group associated with Kinsing has commenced attempts to exploit a newly identified Linux privilege escalation vulnerability known as Looney Tunables. This initiative appears to be part of an experimental campaign targeting cloud environments. According to cloud security firm Aqua, Kinsing is also expanding its attack vectors by extracting credentials from Cloud Service Providers (CSPs).
This marks the first documented case of active exploitation concerning Looney Tunables, identified as CVE-2023-4911. This vulnerability potentially enables attackers to gain root privileges, significantly enhancing their operational capabilities.
Kinsing actors have a history of rapidly modifying their attack methodologies in response to newly disclosed vulnerabilities. Recently, they exploited a significant flaw in Openfire, recognized as CVE-2023-32315, to attain remote code execution capabilities.
Current attack strategies involve leveraging a critical remote code execution vulnerability in PHPUnit, identified as CVE-2017-9841. This tactic has been employed by the Kinsing cryptojacking group since at least 2021 to secure initial access to compromised environments.
Subsequently, Kinsing operators manually probe the victim’s environment for the Looney Tunables vulnerability using a Python exploit made publicly available by a researcher known as bl4sty. Following this, they retrieve and execute an additional PHP exploit that, although initially obscured, upon de-obfuscation reveals itself as a JavaScript payload for further exploitation efforts.
This JavaScript operates as a web shell, providing backdoor access to the server. This access allows adversaries to execute commands, manage files, and gather additional intelligence on the compromised machine.
The overarching objective of these attacks is to obtain credentials from the cloud service provider, signifying a notable tactical evolution from the Kinsing group’s previous strategies, which revolved primarily around deploying malware for cryptojacking. Security researcher Assaf Morag emphasizes that this represents Kinsing’s first active attempt to collect such sensitive information.
This recent shift indicates a broadening of Kinsing’s operational scope, posing heightened risks to cloud-native environments. As Kinsing diversifies its tactics, organizations must remain vigilant against evolving threats that may exploit such vulnerabilities.
