Tuesday, November 12, 2024
HomeCloudHackers Actively Exploiting Linux Privilege Escalation Flaw to Attack Cloud Environments

Hackers Actively Exploiting Linux Privilege Escalation Flaw to Attack Cloud Environments

Published on

Malware protection

Linux Privilege Escalation flaw is one of the highly critical flaws as it can allow an attacker to gain elevated privileges on a system, potentially leading to full control. 

Hackers typically exploit these vulnerabilities by crafting malicious code or commands that take advantage of the flaw, then execute them on a target system to gain higher privileges, enabling them to carry out malicious activities, such as;

  • Installing malware
  • Stealing data
  • Compromising the system’s integrity

Aqua Nautilus researchers recently intercepted the Kinsing’s cloud hack, and they found an unusual CVE-2023-4911 exploit, exposing the attacker’s actions.

- Advertisement - SIEM as a Service

Kinsing threat actor hijacks servers for crypto profits and extracts CSP credentials to expand their cloud attacks.

Linux Privilege Escalation Flaw

Kinsing usually automates crypto mining, but recent manual tests signal a shift. 

They’re targeting CVE-2023-4911 vulnerabilities, which alarming experts, and that’s why researchers recommended users to watch out for their evolving tactics.

The PHPUnit flaw (CVE-2017-9841) gave Kinsing initial access. It used Perl script bc.pl to create a reverse shell on port 1337. Manual commands were carefully chosen after trial and error.

Looney Tunables (CVE-2023-4911) is a dangerous GNU C Library vulnerability, and Kinsing exploits it for root access. The flaw involves ‘GLIBC_TUNABLES,’ while the Kinsing uses an exploit from @bl4sty’s site, targeting this vulnerability. 

The exploit is based on Qualys’ method and works on multiple architectures. Kinsing also deploys a PHP exploit and a de-obfuscated JavaScript for more attacks.

De-obfuscated PHP script (Source - Aquasec)
De-obfuscated PHP script (Source – Aquasec)

Apart from this, the Wesobase.js is a base64-encoded script, revealing a PHP-JavaScript mix that forms a web shell backdoor for unauthorized server access.

Here below, we have mentioned all the key features:-

  • Password Protection
  • File Management
  • Command Execution
  • Network Interactions
  • Encryption and Decryption
  • Server Information
  • User-Agent Handling
  • Character Set Conversion

Credentials and Data that Could be Exposed

Kinsing aims to gather CSP credentials, potentially exposing sensitive data, like AWS instance identity, which poses risks in cloud environments.

Here below, we have mentioned all the types of credentials and data that could be exposed:-

  • Temporary Security Credentials
  • IAM Role Credentials
  • Instance Identity Tokens

Recommendations

Here below, we have mentioned all the recommendations offered by the security researchers:-

  • Vulnerability Patching
  • Monitoring and Detection
  • Use robust security solutions
  • Always implement limited accessibility to guest users

IOCs

IOCs (Source - Aquasec)
IOCs (Source – Aquasec)

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...