Exploited ‘Looney Tunables’ Linux privileged escalation bug linked to Kinsing threat actor

The first instance of an exploit attack on the so-called "Looney Tunables" Linux privileged escalation vulnerability (CVE-2023-4911) was reported by researchers from Aqua Nautilus.

In a blog post Nov. 3, the Aqua Nautilus researchers said they are “100% certain” that threat actor Kinsing was behind the attack, but they are not ready to disclose “how” just yet.

Aqua Nautilus researchers said in a forthcoming report dedicated to Kinsing that they will unveil the enigma surrounding the case. They promised a comprehensive analysis, demonstrating the methodologies and evidence that let the Aqua team conclusively link the attack to the threat actor that has a storied history.

To date, no research group has conclusively linked Kinsing to any named specific threat group, nation-state or otherwise. However, Kinsing represents a significant threat to cloud environments, particularly Kubernetes clusters, Docker APIs, Redis servers, and Jenkins servers, the Aqua Nautilus researchers said. Their ability to quickly adapt to new vulnerabilities and their persistent efforts to exploit misconfigurations make them a formidable adversary. The Kinsing threat actor has been actively involved in cryptojacking operations.

Kinsing observed exploiting Openfire servers

The Aqua Nautilus researchers reported Kinsing has been recently observed exploiting vulnerable Openfire servers. This has actually been a robust modus operandi of Kinsing, specifically to promptly append its arsenal exploits of newly discovered vulnerabilities. In addition, the Aqua Nautilus blog said Microsoft Defender for Cloud has reported a large number of clusters infected from misconfigurations in PostgreSQL servers and four other vulnerable container images: PHPUnit, Weblogic, Liferay and WordPress.

The Looney Tunables vulnerability affects Linux systems that are commonly containerized and used in cloud environments, said Andrew Barratt, vice president at Coalfire.

“The reason it’s significant is that it potentially grants an intruder a persistent position with elevated privileges, allowing them to manipulate and control the underlying system, cloud or otherwise,” said Barratt. “Due to orchestration engine's ability to scale, this could then allow an attacker to quickly test an attack that would quickly grant access to an entire cloud-based infrastructure.”

Anurag Gurtu, CPO at StrikeReady, said for security teams, the immediate step should be to thoroughly investigate their environments for indicators-of-compromise associated with this vulnerability. Gurtu said patch management is crucial: ensuring all systems are updated with the latest security patches can prevent exploitation.

"It’s also advisable to conduct a review of system configurations and reduce unnecessary exposure of critical interfaces to the public internet," said Gurtu. "Continuously monitoring and scanning for vulnerabilities in the environment should become a regular practice. Security teams should enforce the principle of least privilege to limit the access scope even if a component is compromised."