Kinsing Attackers Experiments with "Looney Tunables" Exploit for Cloud Compromise
Threat actors associated with the Kinsing malware have been observed exploiting the Linux privilege escalation vulnerability in the GNU C Library, specifically, CVE-2023-4911 (aka Looney Tunables), to obtain credentials from cloud environments. In a report authored by Assaf Morag from Aqua Security, the attribution of this campaign to Kinsing is made with "100%" certainty; however, specific details are being withheld for a future report.
The script to exploit Looney Tunables was discovered to be directly sourced from a repository owned by a security researcher, @bl4sty. Upon notification by BleepingComputer, the researcher confirmed their intention to address this abuse. From their web shell, the threat actors attempted to query the AWS metadata service, signaling their ultimate intent to "enumerate the details and credentials associated with the Cloud Service Provider (CSP)." AquaSec noticed this deviated from the threat actor's typical goals, which primarily involve deploying their cryptominer, suggesting that the Kinsing threat actors are expanding their objectives and aiming for more "intense activities."