Table of Contents
Looney Tunables Glibc Vulnerability Exploited in Cloud Attacks
A significant vulnerability, referred to as 'Looney Tunables,' has been found in the GNU C Library (GLIBC), a standard feature in many major Linux distributions. This vulnerability—tracked as Looney Tunables—has become a focal point for cloud attacks and has been exploited by malicious actors, specifically the Kinsing Group, known for their usage of Kinsing malware and their involvement in cryptojacking operations.
Vulnerability Present in Major Linux Distributions
The Looney Tunables vulnerability resides within the GLIBC_TUNABLES feature of the GLIBC, a feature that allows users to customize runtime behaviors in Linux. The flaw becomes exploitable when the feature is manipulated through poorly formed input, potentially granting attackers unauthorized elevated system privileges. Systems running unpatched versions of glibc are particularly vulnerable.
Exploited by Kinsing Group
The Kinsing group, notorious for their involvement with the Kinsing malware and cryptojacking, have been noted to exploit this vulnerability in cloud attacks. As its implications could lead to potential data breaches or even a total system takeover, immediate attention and remediation are imperative to secure affected systems.
The Vulnerability Allows Local Attacker To Execute Arbitrary Code With Elevated Privileges
The exploitation of this vulnerability allows a local attacker to execute arbitrary code with elevated system privileges. This exploit opens the potential for severe damage, allowing unauthorized access to private data or inflicting harmful changes to the affected system, making its prompt remediation a critical necessity for system security.
Kinsing Group’s Attack Strategy
The Kinsing group, notorious for exploiting vulnerabilities in cloud systems for cryptocurrency mining, has displayed an alarming shift in their attack strategy. While maintaining their foothold through the known PHPUnit vulnerability (CVE-2017-, they have shown interest in the Looney Tunables vulnerability (CVE-2023-, taking its exploitation beyond their traditional automated attacks.
Initial Access Gained Exploiting a PHPUnit Vulnerability
As part of their ongoing campaign, the Kinsing threat actor gains initial access into the systems through the PHPUnit vulnerability, a well-documented exploit. This recent development in their modus operandi is a significant stride away from the group's typical fully automated attacks, focusing instead on manual testing and exploration of further system weaknesses.
Manual Testing Then Conducted to Exploit the Looney Tunables Vulnerability For Gaining Root System Access
Post the initial infiltration, Kinsing conducts manual tests aimed at probing and potentially exploiting the Looney Tunables vulnerabilities. These tests indicate their sinister intentions to manipulate the vulnerability, broadening the scope of their cloud-native attacks, and exposing the system to elevated risks.
Downloading Additional Scripts for Backdoor Access and Obtaining CSP Associated Credentials
Further to this, Kinsing has been observed downloading additional scripts, enabling them to deepen their access into the compromised system. This allows them not only to establish a backdoor but also to extract valuable credentials associated with the Cloud Service Provider (CSP). This strategic shift in their approach underscores the need for increased vigilance to these evolving threats and the implementation of robust security measures to curb their progress.
Increased Potential Security Risk from Kinsing Group
The Kinsing threat actor has always posed a significant risk to cloud-native environments. However, their recent shift in attack strategy to probe and exploit the Looney Tunables vulnerability represents a new potential threat. Their agile adaptation to new vulnerabilities and persistent efforts to misuse configurations cause alarm among system administrators and security researchers alike. This potential for more intense activities and a bigger risk for systems and services running on the cloud is highlighted by two key markers.
First Time Attempt by Kinsing to Collect the Type of Information
In their recent activities, Kinsing has been observed to collect CSP associated credentials for misuse, marking their first detour into this type of information acquisition. This demonstrates their desire to deepen their access into vulnerable systems, pushing the boundaries of their attacks to gain the most benefit out of the exploited vulnerabilities. This new strategy presents a much larger risk, as systems are no longer just exposed to cryptocurrency mining but also face the threat of sensitive information theft.
Potential for More Intense Activities Soon Leading to Bigger Risk for Systems and Services Running on the Cloud
The not so distant future hints at the possibility of more intense activities from the Kinsing group. They have shown consistent and prompt adaptation to new vulnerabilities, adopting exploits into their arsenal as soon as they are discovered. With their persistent pursuit of exploiting misconfigured settings, the group represents an ever-increasing risk to systems and services operating on the cloud. Understanding their tactics, techniques, and procedure(TTPs) is critical to formulate robust security measures as a means of defense against such imminent threats.
Measures for Preventing and Detecting Attacks
As the Kinsing group progresses their operation exploiting the Looney Tunables vulnerability with increasing sophistication, it becomes crucial to understand the various measures available for preventing and detecting such attacks. Security firms, such as Aqua Security, have shared valuable indicators of compromise and MITRE ATT&CK mappings to help in understanding how the attacks are conducted and how to mitigate them.
Indicators of Compromise, MITRE ATT&CK Mapping Shared by Aqua Security
A detailed analysis of the Kinsing campaign shows that the attackers have regularly used some common techniques throughout their activities. The MITRE ATT&CK mapping developed by Aqua Security tracks these techniques, such as 'Exploit Public-Facing Application' (T for initial access, 'Command and Scripting Interpreter' (T for execution, 'Server Software Component' (T for persistence, and 'Exploitation for Privilege Escalation' (T for privilege escalation. This map of the attacker's strategy provides valuable insights into the threat actor's modus operandi, equipping security professionals with the necessary knowledge to prevent and counteract these attacks.
Recommendations for Preventing and Detecting These Types of Attacks Provided by the Security Firm
The security firm also provides recommendations for preventing and detecting these types of attacks. By understanding the mechanisms of these complex attacks and the vulnerabilities they exploit, we can construct effective defenses against them, recognize potential warning signs, and intercede before an actual breach occurs. Among the various methods suggested, modernizing security strategies and protocols to meet the advancing threats, building cyber resilience, and improving threat intelligence are particularly emphasized.
