Threat Research

Looney Tunables Vulnerability Exploited by Kinsing

Aquasec

Researchers intercepted Kinsing’s manual testing of the Looney Tunables vulnerability (CVE-2023-4911) as part of its cloud-native intrusion campaign, including attempts to harvest Cloud Service Provider credentials. The activity signals a shift from automated cryptomining to broader cloud-targeted operations, with rootkits, CSP credential access, and a web shell backdoor. #Kinsing #LooneyTunables #CVE-2023-4911 #CVE-2017-9841 #AWS #CSP

Keypoints

  • The Kinsing threat actor targets cloud-native environments (Kubernetes, Docker API, Redis, Jenkins) and is known for agile exploitation of misconfigurations and vulnerabilities.
  • Researchers observed a shift from automated mining to manual testing of the Looney Tunables (CVE-2023-4911) vulnerability, expanding Kinsing’s attack surface in cloud environments.
  • Initial access occurred via the PHPUnit vulnerability (CVE-2017-9841), with downstream activity including a reverse shell on port 1337.
  • Attackers deployed a multi-stage payload: bc.pl, a PHP exploit, and a de-obfuscated PHP/JS backdoor (wesobase.js) offering file management, command execution, and network capabilities.
  • The campaign shows credential access attempts targeting CSPs, including potential exposure of AWS instance metadata credentials (169.254.169.254).
  • MITRE ATT&CK mappings shown include T1190, T1059, T1505, T1068, T1027, T1003, and T1082/T1083, highlighting evolving defense-evasion and discovery techniques.
  • The report emphasizes vulnerability patching, image scanning, least-privilege configurations, and runtime CNDR monitoring to mitigate Kinsing’s cloud-targeted tactics.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The initial access was conducted by exploitation of the PHPUnit vulnerability (CVE-2017-9841). “The initial access was conducted by exploitation of the PHPUnit vulnerability (CVE-2017-9841).”
  • [T1059] Command and Scripting Interpreter – The actor downloads and runs the Perl script bc.pl to execute payload. “downloads and runs the Perl script bc.pl.”
  • [T1505] Server Software Component – Involves exploitation of server components in the attack flow. “Server Software Component (T1505)”.
  • [T1068] Exploitation for Privilege Escalation – Attempts to gain root privileges; “This command failed and the threat actor is trying to get root privileges on the system.”
  • [T1027] Obfuscated/Compressed Files and Information – The wesobase.js backdoor is encoded/obfuscated. “The wesobase.js script is encoded (base64).”
  • [T1003] OS Credential Dumping – Goals include accessing Cloud Service Provider credentials. “OS Credential Dumping (T1003)”
  • [T1082] System Information Discovery – Collecting host details like kernel name and hostname. “Getting the kernel name and hostname by using the uname −a command.”
  • [T1083] File and Directory Discovery – Includes actions like creating directories under /tmp as part of the workflow. “Creating a directory under /tmp.”

Indicators of Compromise

  • [IP Address] context – 194.233.65.92, attacker IP address
  • [Domain] context – haxx.in, Exploit download site
  • [Files] context – Python MD5: ea685e738adedc02ca1a63ebe8ed939eCVE-2023-4911, and 1 more hash; PHP MD5: 9a868bb2456bcde27cde7985145ef6fc; JS MD5: 5dce322f5284213912012e7ba2440da0; Perl MD5: 5d3c00b79be956d4175d0d5fd1d4f1f9
  • [URL] context – http://169.254.169.254/latest/latest/dynamic/instance-identity/document (AWS metadata service)

Read more: https://blog.aquasec.com/loony-tunables-vulnerability-exploited-by-kinsing

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint