Kinsing threat actors have initiated a new experimental campaign to exploit a recently disclosed Linux privilege escalation vulnerability known as Looney Tunables. In this campaign, they aim to breach cloud environments by broadening their tactics, which include extracting credentials from Cloud Service Providers (CSPs).
Furthermore, this marks the first publicly documented exploitation of Looney Tunables (CVE-2023-4911), which allows attackers to gain root privileges. Kinsing is known for its opportunistic and rapid adaptation to newly disclosed security vulnerabilities to their advantage, previously utilizing a high-severity bug in Openfire (CVE-2023-32315) for remote code execution. Their latest series of attacks involves exploiting a critical remote code execution weakness in PHPUnit (CVE-2017-9841) to obtain initial access.
Additionally, this is followed by manually probing the victim environment for Looney Tunables using a Python-based exploit and executing an additional PHP exploit, which is initially obscured but later revealed to be a JavaScript designed for further exploitative activities.
At the same time, the end goal of these attacks is to extract credentials associated with the cloud service provider, marking a significant shift from Kinsing’s previous pattern of deploying malware and launching cryptocurrency miners. This development suggests a potential diversification and intensification of the Kinsing operation, posing an increased threat to cloud-native environments in the near future.
