A serious privilege escalation vulnerability patched recently in the GNU C Library (glibc) has been exploited in cloud attacks by a threat group known for the use of the Kinsing malware and for its cryptojacking operations.
The security hole, tracked as CVE-2023-4911 and named Looney Tunables, has been found to impact major Linux distributions, including Debian, Gentoo, Red Hat, and Ubuntu. It allows a local attacker to execute arbitrary code with elevated privileges.
According to cloud security firm Aqua Security, the group behind Kinsing, which is tracked by Palo Alto Networks as Money Libra, has exploited the Looney Tunables vulnerability in recent attacks.
The Kinsing group has been known for deploying its Linux malware in container environments, its ultimate goal being the delivery of cryptocurrency miners. The threat actor poses a significant threat to Kubernetes, Docker, Jenkins and Redis servers, and it was recently observed targeting Openfire servers via a vulnerability tracked as CVE-2023-32315.
In the recent attacks seen by Aqua Security, the Kinsing hackers exploited a PHPUnit vulnerability tracked as CVE-2017-9841 for initial access.
The attackers then conducted manual tests — this represents a deviation from their typical modus operandi — and this included attempts to exploit the Looney Tunables vulnerability, which can be leveraged to gain root access to the system. They targeted the flaw using a publicly available PoC exploit.
The hackers then downloaded additional scripts providing backdoor access to the server and enabling them to obtain information, particularly credentials associated with the Cloud Service Provider (CSP).
“From what we know, this is the first time Kinsing has tried to collect this kind of information,” Aqua Security noted. “Before, they mostly focused on spreading their malware and running a cryptominer, often trying to increase their chances to succeed by eliminating competition or evading detection. This, however, new move shows that Kinsing might be planning to do more varied and intense activities soon, which could mean a bigger risk for systems and services that run on the cloud.”
The security firm has shared indicators of compromise (IoCs), MITRE ATT&CK mapping, and recommendations for preventing and detecting these types of attacks.
Related: Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
Related: Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
Related: StackRot Linux Kernel Vulnerability Shows Exploitability of UAFBR Bugs