Looney Tunables bug exploited for cryptojacking

Kinsing threat actors have been spotted exploiting the recently disclosed Looney Tunables (CVE-2023-4911) vulnerability to covertly install cryptomining software into cloud-native environments.

Kinsing (aka Money Libra) is a threat actor group that has been active since late 2021, targeting cloud-native environments and applications – Kubernetes clusters, Docker API, Redis, Jenkins and Openfire servers, cloud-hosted Apache NiFi instances, and so on – to deploy cryptominers.

Kinsing exploiting PHPUnit and Looney Tunables vulnerabilities

In this latest attack spotted by Aqua Security researchers, they are exploiting a critical remote code execution vulnerability (CVE-2017-9841) in the PHP testing framework PHPUnit for initial access, and then CVE-2023-4911, buffer overflow vulnerability in the GNU C Library’s dynamic loader, to achieve root privileges on the underlying Linux distribution.

“Typically, Kinsing engages in fully automated attacks with the primary objective of mining cryptocurrency. However, in this recent discovery, we observed Kinsing conducting manual tests, a deviation from their usual modus operandi,” noted Assaf Morag, Lead Data Analyst at Aqua Security.

The attackers manually probed the environment for system and user information and started a new interactive shell session. They also downloaded and ran several scripts, including one that contains the Looney Tunables exploit (downloaded directly from a researchers’ website) and another one that creates a webshell (backdoor).

“Ultimately, it becomes apparent that Kinsing is attempting to enumerate the details and credentials associated with the Cloud Service Provider (CSP),” Morag shared.

“From what we know, this is the first time Kinsing has tried to collect this kind of information. Before, they mostly focused on spreading their malware and running a cryptominer, often trying to increase their chances to succeed by eliminating competition or evading detection. This, however, new move shows that Kinsing might be planning to do more varied and intense activities soon, which could mean a bigger risk for systems and services that run on the cloud.”