The operators of the Kinsing malware are targeting cloud environments with systems vulnerable to "Looney Tunables," a Linux security issue identified as CVE-2023-4911 that allows a local attacker to gain root privileges on the system. Looney Tunables is a buffer overflow in glibc's dynamic loader introduced in glibc 2.34 in April 2021 but disclosed in early October 2023. Days after the disclosure, proof-of-concept exploits became publicly available. In a report from cloud security company Aqua Nautilus, researchers describe a Kinsing malware attack where the threat actor exploited CVE-2023-4911 to elevate permissions on a compromised machine. Kinsing is known for breaching cloud-based systems and applications on them to deploy cryptomining software. Aqua Nautilus researchers say that the attack starts with exploiting a known vulnerability in the PHP testing framework 'PHPUnit' to gain a code execution foothold, followed by triggering the 'Looney Tunables' issue to escalate privileges. "Utilizing a rudimentary yet typical PHPUnit vulnerability exploit attack, a component of Kinsing's ongoing campaign, we have uncovered the threat actor's manual efforts to manipulate the Looney Tunables vulnerability," reads the Aqua Nautilus report. In contrast to their normal operational standard, Kinsing tested the latest attack manually, probably to ensure it works as expected before developing exploitation scripts to automate the task. Exploiting the PHPUnit flaw leads to opening a reverse shell over port 1337 on the compromised system, which Kinsing operators leverage to execute reconnaissance commands like 'uname -a' and 'passwrd. The attackers drop a script named 'gnu-acme. Py' on the system, which leverages CVE-2023-4911 for privilege elevation. The exploit for Looney Tunables is fetched directly from the repository of the researcher who released a PoC, likely to hide their tracks. The attackers also download a PHP script, which deploys a JavaScript web shell backdoor that supports the subsequent attack stages. Specifically, the backdoor provides attackers the ability to execute commands, perform file management actions, collect information about the network and the server, and perform encryption/decryption functions. Ultimately, Kinsing showed interest in cloud service provider credentials, particularly for accessing AWS instance identity data, which AquaSec characterizes as a significant shift towards more sophisticated and damaging activities for the particular threat actor. The researchers believe that this campaign was an experiment since the threat actor relied on a different tactics and expanded the scope of the attack to collecting Cloud Service Providers credentials. New 'Looney Tunables' Linux bug gives root on major distros. Exploits released for Linux flaw giving root on major distros. Microsoft: Hackers target Azure cloud VMs via breached SQL servers. TellYouThePass ransomware revived in Linux, Windows Log4j attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000