The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a “new experimental campaign” designed to breach cloud environments.
“Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP),” cloud security firm Aqua said in a report shared with The Hacker News.
The development marks the first publicly documented instance of active exploitation of Looney Tunables (CVE-2023-4911), which could allow a threat actor to gain root privileges.
![Cybersecurity](https://cyberaffairs.com/wp-content/uploads/2023/11/desk.png)
Kinsing actors have a track record of opportunistically and swiftly adapting their attack chains to exploit newly disclosed security flaws to their advantage, having most recently weaponized a high-severity bug in Openfire (CVE-2023-32315) to achieve remote code execution.
The latest set of attacks entails exploiting a critical remote code execution shortcoming in PHPUnit (CVE-2017-9841), a tactic known to be employed by the cryptojacking group since at least 2021, to obtain initial access.
![Linux Flaw Linux Flaw](https://cyberaffairs.com/wp-content/uploads/2023/11/exploit.jpg)
This is followed by manually probing the victim environment for Looney Tunables using a Python-based exploit published by a researcher who goes by the alias bl4sty on X (formerly Twitter).
“Subsequently, Kinsing fetches and executes an additional PHP exploit,” Aqua said. “Initially, the exploit is obscured; however, upon de-obfuscation, it reveals itself to be a JavaScript designed for further exploitative activities.”
The JavaScript code, for its part, is a web shell that grants backdoor access to the server, enabling the adversary to perform file management, command execution, and gather more information about the machine it’s running on.
![Cybersecurity](https://cyberaffairs.com/wp-content/uploads/2023/11/cis-desk.gif)
The end goal of the attack appears to be to extract credentials associated with the cloud service provider for follow-on attacks, a significant tactical shift from its pattern of deploying the Kinsing malware and launching a cryptocurrency miner.
“This marks the inaugural instance of Kinsing actively seeking to gather such information,” the company said.
“This recent development suggests a potential broadening of their operational scope, signaling that the Kinsing operation may diversify and intensify in the near future, thereby posing an increased threat to cloud-native environments.”
Read the full article here