Hackers Actively Exploiting Linux Privilege Escalation Flaw to Attack Cloud Environments

Linux Privilege Escalation flaw is one of the highly critical flaws as it can allow an attacker to gain elevated privileges on a system, potentially leading to full control. 

Hackers typically exploit these vulnerabilities by crafting malicious code or commands that take advantage of the flaw, then execute them on a target system to gain higher privileges, enabling them to carry out malicious activities, such as;

• Installing malware
• Stealing data
• Compromising the system’s integrity

Aqua Nautilus researchers recently intercepted the Kinsing’s cloud hack, and they found an unusual CVE-2023-4911 exploit, exposing the attacker’s actions.

Kinsing threat actor hijacks servers for crypto profits and extracts CSP credentials to expand their cloud attacks.

Linux Privilege Escalation Flaw

Kinsing usually automates crypto mining, but recent manual tests signal a shift. 

They’re targeting CVE-2023-4911 vulnerabilities, which alarming experts, and that’s why researchers recommended users to watch out for their evolving tactics.

The PHPUnit flaw (CVE-2017-9841) gave Kinsing initial access. It used Perl script bc.pl to create a reverse shell on port 1337. Manual commands were carefully chosen after trial and error.

Looney Tunables (CVE-2023-4911) is a dangerous GNU C Library vulnerability, and Kinsing exploits it for root access. The flaw involves ‘GLIBC_TUNABLES,’ while the Kinsing uses an exploit from @bl4sty’s site, targeting this vulnerability. 

The exploit is based on Qualys’ method and works on multiple architectures. Kinsing also deploys a PHP exploit and a de-obfuscated JavaScript for more attacks.

Apart from this, the Wesobase.js is a base64-encoded script, revealing a PHP-JavaScript mix that forms a web shell backdoor for unauthorized server access.

Here below, we have mentioned all the key features:-

• Password Protection
• File Management
• Command Execution
• Network Interactions
• Encryption and Decryption
• Server Information
• User-Agent Handling
• Character Set Conversion

Credentials and Data that Could be Exposed

Kinsing aims to gather CSP credentials, potentially exposing sensitive data, like AWS instance identity, which poses risks in cloud environments.

Here below, we have mentioned all the types of credentials and data that could be exposed:-

• Temporary Security Credentials
• IAM Role Credentials
• Instance Identity Tokens

Recommendations

Here below, we have mentioned all the recommendations offered by the security researchers:-

• Vulnerability Patching
• Monitoring and Detection
• Use robust security solutions
• Always implement limited accessibility to guest users

IOCs

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.