Kinsing Cyberattackers Debut 'Looney Tunables' Cloud Exploits

Admins need to patch immediately, as the prolific cybercrime group pivots from cryptomining to going after cloud secrets and credentials.

Dark storm clouds gathering
Source: AllCanadaPhotos

An exploit for the recently disclosed "Looney Tunables" security vulnerability, which could allow cyberattackers to gain root privileges on millions of Linux systems, is making the rounds in attacks on cloud servers from the Kinsing cybercrime group, researchers are warning.

And it represents a concerning pivot in tactics for the cloud-attack specialist group.

Researchers from Aqua Nautilus have flagged Kinsing's experimental incursions into cloud environments using the bug (CVE-2023-4911, CVSS 7.8), which is a buffer overflow flaw for privilege escalation in the commonly used GNU C Library (glibc) used in most major distributions of the open source operating system (OS).

"We have uncovered the threat actor's manual efforts to [carry out attacks]," according to an alert from the security firm issued on Nov. 3. "This marks the first documented instance of such an exploit, to the best of our knowledge."

Saeed Abbasi, manager of vulnerability and threat research at Qualys, noted that the development should spur immediate action from cloud security teams and administrators.

"The Looney Tunables vulnerability presents an urgent and severe security risk with widespread implications across millions of Linux systems," he said in an emailed statement. "The active exploitation by the Kinsing threat actor, known for their aggressive attacks on cloud infrastructures, heightens the threat level."

He noted that " ... quick and decisive measures are critical; patching, securing credentials, monitoring configurations, and enhancing detection capabilities are not just recommended, but essential to fend off potential breaches that could lead to complete system compromise."

Stealing Cloud Service Provider Secrets

Once the Kinsing attackers establish initial access via a known PHPUnit vulnerability (CVE-2017-9841), they open a reverse shell on port 1337. From there, they use manually crafted shell commands to hunt for and exploit the Looney Tunables bug for privilege escalation — and, ultimately, carry out credential and secrets theft.

Aqua Nautilus warned that the type of data that could be stolen in a successful attack include:

  • Temporary Security Credentials: these can provide full access to AWS resources if the associated role has broad permissions;

  • IAM Role Credentials: these are used to grant permissions to the instance and any applications running on it to interact with other AWS services;

  • Instance Identity Tokens: these are used to prove the identity of the instance when interacting with AWS services and for signing API requests.

This new move shows that Kinsing might be planning to do more varied and intense activities soon, which is a "strategic shift [that] marks a significant development in their approach."

A Strategic Change for Kinsing

The Kinsing group is known as an ongoing threat to containers and cloud-native environments, particularly Kubernetes clusters, the Docker API, Redis servers, Jenkins servers, and more, typically by exploiting recent vulnerabilities and cloud misconfigurations.

While the targets in this latest round of attacks are familiar, the manual probing for Looney Tunables by Kinsing members is a deviation from the group's usual modus operandi, according to Aqua Nautilus. In the past, Kinsing has typically gained initial access on a targeted cloud instance before deploying fully automated attacks with the primary objective of cryptojacking.

The manual trial-and-error testing is a precursor to "Kinsing's sinister intentions to broaden the scope of their automated attacks, specifically targeting cloud-native environments," Aqua Nautilus researchers warned.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights