November 6, 2023 at 09:00AM
A serious privilege escalation vulnerability, known as CVE-2023-4911 or Looney Tunables, has been exploited by the Kinsing threat group. The group, known for its cryptojacking operations, has targeted major Linux distributions. They have also started collecting new types of information, indicating a potential shift in their activities. Security firm Aqua Security has shared indicators of compromise and recommendations for prevention and detection.
Key Takeaways from Meeting Notes:
– A privilege escalation vulnerability, CVE-2023-4911 (Looney Tunables), in the GNU C Library (glibc) has been recently patched, but it has been exploited in cloud attacks by a threat group known as Kinsing.
– Kinsing is known for using the Kinsing malware and conducting cryptojacking operations.
– The Looney Tunables vulnerability affects major Linux distributions like Debian, Gentoo, Red Hat, and Ubuntu, allowing local attackers to execute arbitrary code with elevated privileges.
– Aqua Security has observed Kinsing targeting container environments such as Kubernetes, Docker, Jenkins, and Redis servers.
– Kinsing has also targeted Openfire servers through a vulnerability tracked as CVE-2023-32315.
– In recent attacks, Kinsing exploited the PHPUnit vulnerability, CVE-2017-9841, for initial access.
– Kinsing deviated from its typical modus operandi by conducting manual tests and attempting to exploit the Looney Tunables vulnerability, which can provide root access to the system.
– The group downloaded additional scripts to obtain backdoor access to the server and gather credentials associated with the Cloud Service Provider (CSP).
– Aqua Security believes that Kinsing’s shift towards collecting CSP-related information suggests they may be planning more varied and intense activities in the future, posing a greater risk to cloud systems and services.
– Aqua Security has shared indicators of compromise (IoCs), MITRE ATT&CK mapping, and recommendations for preventing and detecting these types of attacks.
– The meeting notes also mention severe vulnerabilities in Azure and Microsoft Cloud that led to remote code execution and exposure of Office 365 data, as well as a Linux kernel vulnerability called StackRot that demonstrates the exploitability of UAFBR bugs.