Friday, May 24, 2024

Hackers Actively Exploiting Linux Privilege Escalation Flaw to Attack Cloud Environments

Linux Privilege Escalation flaw is one of the highly critical flaws as it can allow an attacker to gain elevated privileges on a system, potentially leading to full control. 

Hackers typically exploit these vulnerabilities by crafting malicious code or commands that take advantage of the flaw, then execute them on a target system to gain higher privileges, enabling them to carry out malicious activities, such as;

  • Installing malware
  • Stealing data
  • Compromising the system’s integrity

Aqua Nautilus researchers recently intercepted the Kinsing’s cloud hack, and they found an unusual CVE-2023-4911 exploit, exposing the attacker’s actions.

Kinsing threat actor hijacks servers for crypto profits and extracts CSP credentials to expand their cloud attacks.

Linux Privilege Escalation Flaw

Kinsing usually automates crypto mining, but recent manual tests signal a shift. 

They’re targeting CVE-2023-4911 vulnerabilities, which alarming experts, and that’s why researchers recommended users to watch out for their evolving tactics.

The PHPUnit flaw (CVE-2017-9841) gave Kinsing initial access. It used Perl script to create a reverse shell on port 1337. Manual commands were carefully chosen after trial and error.

Looney Tunables (CVE-2023-4911) is a dangerous GNU C Library vulnerability, and Kinsing exploits it for root access. The flaw involves ‘GLIBC_TUNABLES,’ while the Kinsing uses an exploit from @bl4sty’s site, targeting this vulnerability. 

The exploit is based on Qualys’ method and works on multiple architectures. Kinsing also deploys a PHP exploit and a de-obfuscated JavaScript for more attacks.

De-obfuscated PHP script (Source - Aquasec)
De-obfuscated PHP script (Source – Aquasec)

Apart from this, the Wesobase.js is a base64-encoded script, revealing a PHP-JavaScript mix that forms a web shell backdoor for unauthorized server access.

Here below, we have mentioned all the key features:-

  • Password Protection
  • File Management
  • Command Execution
  • Network Interactions
  • Encryption and Decryption
  • Server Information
  • User-Agent Handling
  • Character Set Conversion

Credentials and Data that Could be Exposed

Kinsing aims to gather CSP credentials, potentially exposing sensitive data, like AWS instance identity, which poses risks in cloud environments.

Here below, we have mentioned all the types of credentials and data that could be exposed:-

  • Temporary Security Credentials
  • IAM Role Credentials
  • Instance Identity Tokens


Here below, we have mentioned all the recommendations offered by the security researchers:-

  • Vulnerability Patching
  • Monitoring and Detection
  • Use robust security solutions
  • Always implement limited accessibility to guest users


IOCs (Source - Aquasec)
IOCs (Source – Aquasec)

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles