November 6, 2023 at 03:26PM
The Kinsing malware operators are targeting vulnerable cloud environments using a Linux security issue known as “Looney Tunables” (CVE-2023-4911). The malware exploits this vulnerability to gain root privileges on compromised systems. Kinsing is known for breaching cloud-based systems and deploying cryptomining software. Recent attacks have targeted Kubernetes clusters through misconfigured PostgreSQL containers. The attackers also utilize a PHPUnit vulnerability to gain code execution and manipulate the Looney Tunables vulnerability. They download a web shell backdoor and show interest in collecting Cloud Service Provider credentials, indicating a shift towards more sophisticated activities. This campaign is believed to be an experimental endeavor by the threat actor.
Key takeaways from the meeting notes:
1. Kinsing malware is targeting cloud environments with vulnerable systems, specifically exploiting the Linux security issue CVE-2023-4911 to gain root privileges.
2. Kinsing is known for breaching cloud-based systems and deploying cryptomining software, with recent focus on targeting Kubernetes clusters through misconfigured PostgreSQL containers.
3. The attack starts with exploiting a vulnerability in the PHP testing framework ‘PHPUnit’ to gain a code execution foothold, followed by triggering the ‘Looney Tunables’ issue to escalate privileges.
4. Kinsing conducted manual tests of the attack before developing exploitation scripts for automation.
5. The attackers leverage a reverse shell to execute reconnaissance commands and drop a script (‘gnu-acme.py’) for privilege elevation using CVE-2023-4911.
6. The attackers also deploy a JavaScript web shell backdoor (‘wesobase.js’) that provides them with various capabilities, including command execution, file management, network/server information collection, and encryption/decryption functions.
7. A significant shift in this campaign is the attackers’ interest in cloud service provider (CSP) credentials, particularly for accessing AWS instance identity data.
8. The researchers believe this campaign was an experiment for the threat actor, exploring different tactics and expanding the scope of the attack to collect CSP credentials.