Kinsing Threat Actor Targets Linux Flaw for Cloud Environment Breaches

Malicious actors affiliated with the cryptojacking syndicate known as Kinsing have escalated their exploitation of a vulnerability discovered in Linux last October, referred to as Looney Tunables (CVE-2023-4911), to orchestrate incursions into cloud environments. This development has been reported by AquaSec, a firm specializing in cloud technology security.

The analysis by researchers marks the first documented instance of Looney Tunables being actively leveraged, enabling the perpetrator to secure superuser rights within the target environment.

The new campaign is distinguished by its reliance on an antiquated vulnerability in PHPUnit (CVE-2017-9841), which allows the execution of arbitrary code. This tactic has been a cornerstone of Kinsing’s strategy for gaining initial access to various systems since at least 2021.

In their most recent assaults, the perpetrators utilized a PoC exploit in Python, released by a researcher under the alias bl4sty on October 5th. Subsequently, the Kinsing hackers deployed an additional PHP exploit which, upon deobfuscation, was revealed to be JavaScript-engineered for further exploitation.

This JavaScript served as a web shell, endowing the attackers with capabilities to manage files, execute commands, and gather information about the device.

The primary objective of these attacks is the extraction of cloud service provider credentials for future operations. This aim deviates from Kinsing’s customary modus operandi, which typically involves deploying malware and initiating cryptocurrency mining.

However, researchers note that this signifies a potential broadening of the group’s operational scope, suggesting that their activities may diversify and intensify soon, thereby amplifying the threat to cloud-based environments.