AI DevwWrld Chatbot Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Middle East Low Code No Code Summit TimeAI Summit

Foray into the cloud: Kinsing's new modus operandi

Advanced cyberattack strategies target cloud services through a critical vulnerability

The Kinsing hacker group attacks cloud systems using the Looney Tunables vulnerability to install crypto-mining software and steal credentials.

Contribute to spreading the culture of prevention!
Support our cause with a small donation by helping us raise awareness among users and companies about cyber threats and defense solutions.

This pill is also available in Italian language

A new form of cyberattack has been observed in the cloud computing environment, where attackers from the group known as Kinsing, also known as Money Libra, exploit a vulnerability known as Looney Tunables (CVE-2023-4911). This hacker group, operational since 2021, is using this vulnerability to covertly install crypto-mining software in cloud-native environments, affecting platforms such as Kubernetes and other cloud services.

Combined exploitation of PHPUnit and Looney Tunables

The current technique employed by Kinsing is to first use a remote code execution vulnerability (CVE-2017-9841) present in PHPUnit to gain initial access to the system. Next, attackers use the Looney Tunables vulnerability to gain root privileges on the host Linux operating system. The alarm was raised by analysts at Aqua Security who noticed a deviation from Kinsing's usual pattern, observing manual tests rather than their usual automated attacks.

Intense manual activity and information search

After penetrating the systems, the attackers performed a series of manual operations such as gathering system information and user credentials. They also opened new interactive shell sessions and downloaded and executed scripts for managing webshells and exploiting exploits, including the one for Looney Tunables. According to Assaf Morag, lead data analyst at Aqua Security, we are seeing an attempt by Kinsing to obtain details and credentials related to cloud service providers (CSPs).

Towards new threats in cloud computing

This new methodology adopted by Kinsing indicates a potential escalation in group behavior. Previously focused on spreading malware and crypto-mining activities, while also seeking to eliminate the competition or act stealthily, there is now an interest in deepening access to cloud resources. This move suggests that they may be planning more varied and intense actions, thereby increasing the risk to systems and services operating in the cloud.

Follow us on Telegram for more pills like this

11/07/2023 10:59

Editorial AI

Complementary pills

Trivy by Aqua Security: Kubernetes vulnerability scanAn innovative solution to ensure the security of Kubernetes clusters

Last pills

Global blow to cybercrime: a major ransomware network has fallenCybercriminal organization busted: a success for global cybersecurity

Crisis in aviation: Rosaviatsia targeted by cyberattackCyber attack exposes vulnerability of Russian aviation sector

Introduction to the new SysJoker threatIn-depth analysis reveals evolutions and risks of SysJoker cross-platform malware

Cybersecurity strategies compared between Taiwan and JapanStrengthening digital defenses in the information age