November 21, 2023 at 01:01PM
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their systems against an actively exploited vulnerability called ‘Looney Tunables.’ The vulnerability allows attackers to gain root privileges on major Linux distributions. The flaw affects popular platforms like Fedora, Ubuntu, and Debian. Administrators are advised to patch their systems promptly as proof-of-concept exploits have been released. CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, warning of significant risks. Private companies are also urged to prioritize patching. The Looney Tunables flaw has been exploited by Kinsing malware attackers targeting cloud environments.
Key takeaways from the meeting notes:
1. CISA has ordered U.S. federal agencies to secure their systems against a vulnerability known as ‘Looney Tunables’, which allows attackers to gain root privileges on major Linux distributions.
2. The vulnerability is due to a buffer overflow weakness in the GNU C Library’s ld.so dynamic loader.
3. The security flaw affects the latest releases of popular Linux platforms, including Fedora, Ubuntu, and Debian.
4. Administrators are urged to patch their systems promptly as the vulnerability is actively being exploited, and proof-of-concept exploits have been released online.
5. Qualys’ Saeed Abbasi emphasized the importance of system administrators acting swiftly due to the capability of the vulnerability to provide full root access.
6. CISA has included the actively exploited Linux flaw in its Known Exploited Vulnerabilities Catalog, recognizing it as a frequent attack vector with significant risks.
7. U.S. Federal Civilian Executive Branch Agencies must patch Linux devices on their networks by December 12, as mandated by a binding operational directive.
8. While the primary target is U.S. federal agencies, CISA advises all organizations, including private companies, to prioritize patching the Looney Tunables security flaw.
9. Kinsing malware operators are exploiting the Looney Tunables flaw in attacks targeting cloud environments.
10. The attackers use a known vulnerability in the PHPUnit framework as an initial breach and then leverage the Looney Tunables issue to escalate their privileges.
11. Once they have gained root access, the threat actors install a JavaScript web shell for backdoor access and execute commands, manage files, and conduct reconnaissance.
12. The ultimate goal of the Kinsing attackers is to steal cloud service provider credentials, particularly AWS instance identity data.
13. Kinsing is known for breaching and deploying crypto mining software in cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins.
14. Microsoft and TrendMicro have observed the group targeting Kubernetes clusters via misconfigured containers and exploiting the Apache ActiveMQ bug, respectively.