Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,471
- Points
- 113
The attackers changed their usual tactics and became even more dangerous.
Attackers associated with the Kinsing crypto-hacking group began actively exploiting a Linux vulnerability known as Looney Tunables (CVE-2023-4911) discovered in October to carry out attacks to penetrate cloud environments. This is reported by the cloud security company AquaSec.
The researchers analysis marks the first publicly documented case of active use of Looney Tunables, which allowed an attacker to gain superuser rights in the target environment.
The new campaign is characterized by the use of an old vulnerability in PHPUnit ( CVE-2017-9841), which allows executing arbitrary code. Kinsing has been using this approach to get primary access to various systems since at least 2021.
As part of the latest attacks, the attackers used a Python PoC exploit published by a researcher under the pseudonym bl4sty on October 5. After that, the Kinsing hackers launched an additional PHP exploit, which, as it turned out after deobfuscation, was JavaScript intended for further exploitation.
This JavaScript code served as a web wrapper, providing attackers with the ability to manage files, execute commands, and collect information about the device.
The main purpose of the attack is to extract the credentials of a cloud service provider for subsequent actions. This goal departs from the Kinsing group's usual practice of deploying malware and launching cryptocurrency miners.
However, the researchers note that this indicates a potential expansion of the operational scale of the group and may indicate that in the near future their actions may become more diverse and intense, increasing the threat to cloud environments.
Attackers associated with the Kinsing crypto-hacking group began actively exploiting a Linux vulnerability known as Looney Tunables (CVE-2023-4911) discovered in October to carry out attacks to penetrate cloud environments. This is reported by the cloud security company AquaSec.
The researchers analysis marks the first publicly documented case of active use of Looney Tunables, which allowed an attacker to gain superuser rights in the target environment.
The new campaign is characterized by the use of an old vulnerability in PHPUnit ( CVE-2017-9841), which allows executing arbitrary code. Kinsing has been using this approach to get primary access to various systems since at least 2021.
As part of the latest attacks, the attackers used a Python PoC exploit published by a researcher under the pseudonym bl4sty on October 5. After that, the Kinsing hackers launched an additional PHP exploit, which, as it turned out after deobfuscation, was JavaScript intended for further exploitation.
This JavaScript code served as a web wrapper, providing attackers with the ability to manage files, execute commands, and collect information about the device.
The main purpose of the attack is to extract the credentials of a cloud service provider for subsequent actions. This goal departs from the Kinsing group's usual practice of deploying malware and launching cryptocurrency miners.
However, the researchers note that this indicates a potential expansion of the operational scale of the group and may indicate that in the near future their actions may become more diverse and intense, increasing the threat to cloud environments.
