November 3, 2023 at 09:42AM
The Kinsing threat actors are exploiting a Linux privilege escalation flaw called Looney Tunables in a new experimental campaign aimed at breaching cloud environments. They are also extracting credentials from Cloud Service Providers. This is the first documented instance of active exploitation of Looney Tunables, allowing the threat actors to gain root privileges. Kinsing has a history of adapting its attack chains and recently used a bug in Openfire for remote code execution. They are now exploiting a remote code execution flaw in PHPUnit and using a JavaScript web shell to gain backdoor access to the server and gather more information. This represents a tactical shift for Kinsing, indicating a potential expansion and increased threat to cloud-native environments.
Key Takeaways from the Meeting Notes:
1. Threat actors linked to Kinsing are actively exploiting the recently disclosed Linux privilege escalation flaw called Looney Tunables to breach cloud environments.
2. Cloud security firm Aqua has reported the first documented instance of the exploitation of Looney Tunables, which can allow threat actors to gain root privileges.
3. Kinsing actors have a history of quickly adapting their attack chains to exploit newly disclosed security flaws, such as the recent weaponization of a bug in Openfire.
4. The latest attacks involve exploiting a remote code execution vulnerability in PHPUnit to gain initial access.
5. Kinsing then probes the victim environment for Looney Tunables using an exploit published by a researcher called bl4sty.
6. Following the exploitation, Kinsing executes a JavaScript web shell that grants backdoor access to the server, allowing file management, command execution, and gathering of information.
7. The end goal of the attack is to extract credentials associated with the cloud service provider for future attacks, indicating a tactical shift from deploying malware and launching cryptocurrency miners.
8. This development suggests that the Kinsing operation may diversify and intensify, posing an increased threat to cloud-native environments.