Foray into the cloud: Kinsing's new modus operandi
Advanced cyberattack strategies target cloud services through a critical vulnerability
The Kinsing hacker group attacks cloud systems using the Looney Tunables vulnerability to install crypto-mining software and steal credentials.
A new form of cyberattack has been observed in the cloud computing environment, where attackers from the group known as Kinsing, also known as Money Libra, exploit a vulnerability known as Looney Tunables (CVE-2023-4911). This hacker group, operational since 2021, is using this vulnerability to covertly install crypto-mining software in cloud-native environments, affecting platforms such as Kubernetes and other cloud services.
Combined exploitation of PHPUnit and Looney Tunables
The current technique employed by Kinsing is to first use a remote code execution vulnerability (CVE-2017-9841) present in PHPUnit to gain initial access to the system. Next, attackers use the Looney Tunables vulnerability to gain root privileges on the host Linux operating system. The alarm was raised by analysts at Aqua Security who noticed a deviation from Kinsing's usual pattern, observing manual tests rather than their usual automated attacks.
Intense manual activity and information search
After penetrating the systems, the attackers performed a series of manual operations such as gathering system information and user credentials. They also opened new interactive shell sessions and downloaded and executed scripts for managing webshells and exploiting exploits, including the one for Looney Tunables. According to Assaf Morag, lead data analyst at Aqua Security, we are seeing an attempt by Kinsing to obtain details and credentials related to cloud service providers (CSPs).
Towards new threats in cloud computing
This new methodology adopted by Kinsing indicates a potential escalation in group behavior. Previously focused on spreading malware and crypto-mining activities, while also seeking to eliminate the competition or act stealthily, there is now an interest in deepening access to cloud resources. This move suggests that they may be planning more varied and intense actions, thereby increasing the risk to systems and services operating in the cloud.
Follow us on Instagram for more pills like this11/07/2023 10:59
Marco Verro