An exploit for the recently disclosed “Looney Tunables” security vulnerability, which could allow cyberattackers to gain root privileges on millions of Linux systems, is making the rounds in attacks on cloud servers from the Kinsing cybercrime group, researchers are warning.
And it represents a concerning pivot in tactics for the cloud-attack specialist group.
Researchers from Aqua Nautilus have flagged Kinsing’s experimental incursions into cloud environments using the bug (CVE-2023-4911, CVSS 7.8), which is a buffer overflow flaw for privilege escalation in the commonly used GNU C Library (glibc) used in most major distributions of the open source operating system (OS).
“We have uncovered the threat actor’s manual efforts to [carry out attacks],” according to an alert from the security firm issued on Nov. 3. “This marks the first documented instance of such an exploit, to the best of our knowledge.”
Saeed Abbasi, manager of vulnerability and threat research at Qualys, noted that the development should spur immediate action from cloud security teams and administrators.
“The Looney Tunables vulnerability presents an urgent and severe security risk with widespread implications across millions of Linux systems,” he said in an emailed statement. “The active exploitation by the Kinsing threat actor, known for their aggressive attacks on cloud infrastructures, heightens the threat level.”
He noted that ” … quick and decisive measures are critical; patching, securing credentials, monitoring configurations, and enhancing detection capabilities are not just recommended, but essential to fend off potential breaches that could lead to complete system compromise.”
Stealing Cloud Service Provider Secrets
Once the Kinsing attackers establish initial access via a known PHPUnit vulnerability (CVE-2017-9841), they open a reverse shell on port 1337. From there, they use manually crafted shell commands to hunt for and exploit the Looney Tunables bug for privilege escalation — and, ultimately, carry out credential and secrets theft.
Aqua Nautilus warned that the type of data that could be stolen in a successful attack include:
- Temporary Security Credentials: these can provide full access to AWS resources if the associated role has broad permissions;
- IAM Role Credentials: these are used to grant permissions to the instance and any applications running on it to interact with other AWS services;
- Instance Identity Tokens: these are used to prove the identity of the instance when interacting with AWS services and for signing API requests.
This new move shows that Kinsing might be planning to do more varied and intense activities soon, which is a “strategic shift [that] marks a significant development in their approach.”
A Strategic Change for Kinsing
The Kinsing group is known as an ongoing threat to containers and cloud-native environments, particularly Kubernetes clusters, the Docker API, Redis servers, Jenkins servers, and more, typically by exploiting recent vulnerabilities and cloud misconfigurations.
While the targets in this latest round of attacks are familiar, the manual probing for Looney Tunables by Kinsing members is a deviation from the group’s usual modus operandi, according to Aqua Nautilus. In the past, Kinsing has typically gained initial access on a targeted cloud instance before deploying fully automated attacks with the primary objective of cryptojacking.
The manual trial-and-error testing is a precursor to “Kinsing’s sinister intentions to broaden the scope of their automated attacks, specifically targeting cloud-native environments,” Aqua Nautilus researchers warned.