Recently, there has been a concerning development in the world of cloud security. A group of threat actors linked to Kinsing is actively targeting cloud environments. They are doing this by taking advantage of a newly disclosed Linux privilege escalation flaw called Looney Tunables.
In their new experimental campaign to breach cloud environments, these threat actors are not just stopping at Looney Tunables. They have expanded their tactics by extracting credentials from Cloud Service Providers (CSPs), as the cloud security firm Aqua reported. This is a significant shift from their usual pattern of deploying Kinsing malware and launching cryptocurrency mining operations.
Looney Tunables, tracked as CVE-2023-4911, is a buffer overflow vulnerability in glibc that could allow a threat actor to gain root privileges. This marks the first documented instance of active exploitation of this vulnerability.
The threat actors manually probe the victim’s environment for Looney Tunables using a Python-based exploit published by a researcher known as bl4sty. Once identified, Kinsing deploys an additional PHP exploit. Initially, this exploit is concealed, but upon de-obfuscation, it is revealed to be a JavaScript code designed for further exploitative activities.
The JavaScript code functions as a web shell, providing backdoor access to the compromised server. This backdoor access allows the hackers to perform tasks such as file management, command execution, and gathering more information about the targeted machine.
Conclusion: Securing Cloud Environments
The ultimate goal of this attack appears to be the extraction of credentials associated with the cloud service provider, signaling a significant shift in the tactics of these threat actors. Instead of solely focusing on cryptocurrency mining, they are actively seeking sensitive information.
Security researcher Assaf Morag noted that this recent development suggests a potential broadening of their operational scope, which could pose an increased threat to cloud-native environments in the near future. Organizations need to stay vigilant and take steps to protect their cloud environments from these evolving threats.
Securing your cloud systems against evolving threats is crucial in today’s digital landscape. One effective strategy to enhance your defense mechanisms involves the implementation of live patching. This approach allows you to apply security patches seamlessly, ensuring the protection of your cloud infrastructures without causing disruptions or requiring maintenance windows.
TuxCare’s KernelCare Enterprise is an automated security patching tool to streamline vulnerability management. With KernelCare Enterprise, your systems can be automatically patched without any reboots or patching-related downtimes.
Schedule a conversation with a TuxCare Linux security expert to get started with KernelCare Enterprise for your cloud infrastructure security.
The sources for this article include a story from TheHackerNews.
The post Kinsing Actors Target Cloud Environments Exploiting Looney Tunables appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/kinsing-actors-target-cloud-environments/