That's All Folks!

12291239683?profile=RESIZE_400xThe term “Looney Tunables” refers to a vulnerability that exists in the GNU C library, which is a core library in Linux-based systems.  This library has a hand in many foundational operations like file opening and reading, threading, memory allocation, console printing, etc.  The bug was introduced in April of 2021, but the CVE was not posted to NIST until October 3rd, 2023.  The vulnerability was discovered by the Qualys Threat Research Unit in early September of this year.

A buffer overflow vulnerability was discovered in the library's dynamic loader, ld.so.  The purpose of this loader being to find and load shared objects needed by a program.  This vulnerability can affect a number of Linux distributions such as recent versions of Fedora, Ubuntu, and Debian.  Exceptions to this are distributions that use musl libraries, such as Alpline.

The nickname of this vulnerability is derived from the fact that the buffer overflow can occur while processing an environment variable named GLIBC_TUNABLES.  This environment variable is a feature of the GNU C library that enables developers to alter certain runtime library behaviors to match their workloads.  An attack can occur by utilizing a malicious version of the variable.  Performing this attack when launching a binary with elevated permissions could allow for code to be executed with root permissions on Linux systems.

Recently in connection with the Looney Tunables vulnerability is the Kinsing malware, which is primarily known as a crypto mining malware, and the threat actors behind it are often seen to be involved in cryptojacking operations.  Previous analysis has revealed Kinsing to be written in Golang.  The typical targets for this malware include cloud-native environments like Kubernetes clusters, Docker APIs, Redis servers, Jenkins servers, among others.

Kinsing threat actors have a history of adapting their attack chains to fit new security flaws.  A recent example of this is leveraging a path traversal bug in the Openfire admin console to achieve remote code execution.  Other recent campaigns have involved attempting to exploit open default WebLogic ports for executing shell commands and launching malware.

12291239457?profile=RESIZE_710x(Source: Aqua)

It is also not uncommon for rootkits to be used to hide the presence of Kinsing on infected systems.  In addition, competing resource-intensive services are often terminated in the presence of Kinsing in an attempt to maximize the mining efficiency of the malware.

The threat actors behind Kinsing have been discovered trying to exploit the Looney Tunables vulnerability in a new campaign targeting cloud systems.  It’s also been proposed that this observation marks the first publicly documented instance of an exploitation attempt using Looney Tunables.  The observed attack is a multi-stage attack that begins by utilizing a remote code execution vulnerability in PHPUnit, which is a technique that’s been used by the Kinsing group since at least 2021.  Once this step is complete, the victim machine is then probed for an opportunity to take advantage of Looney Tunables with a Python script that was developed by an X user named Blasty (bl4sty).

At this point, an additional PHP exploit is used to order to execute some JavaScript which will then create a web shell backdoor into the system.  This backdoor provides a number of features like password protection to the system, file management, arbitrary command execution, network interactions, encryption, collecting server information, and much more.

In some ways, this can be seen as an escalation in the threat level of the group and their malware.  An Aqua Nautilus analysis of this attack reveals that it is an attempt to gather information and credentials for cloud service providers.  The types of credentials available to this kind of attack include temporary security credentials, IAM role credentials, and instance identity tokens.  This case can be viewed as an escalation since this is likely the first time Kinsing has been seen attempting to gather this kind of information.

In summary, Looney Tunables is a vulnerability in Linux systems.  Affecting a variety of distributions such as Fedora, Ubuntu, and Debian, Looney Tunables is a vulnerability in the GNU C library’s shared object loader that can allow malicious code to be executed with elevated privileges. 

The Kinsing malware is generally seen as a crypto mining malware whose targets often include cloud-native environments like Kubernetes clusters, Docker APIs, Redis servers, or Jenkins servers.  Rootkits are often used to conceal the malware’s presence and competing applications on infected systems are terminated in order to maximize mining efforts.  Notably, the threat actors behind Kinsing are known for being able to assimilate new techniques into their process.

Finally, researchers have observed the Kinsing malware attempting to exploit the Looney Tunables vulnerability on cloud systems.  The attack starts by exploiting a known vulnerability in PHPUnit, followed by confirming the presence of Looney Tunables with a Python script, then creating a backdoor into the system with another PHP exploit executing JavaScript.  This is a noted change in the Kinsing attack process given the attempts to gather machine information and cloud service provider credentials.

 

[1]: https://thehackernews.com/2023/10/looney-tunables-new-linux-flaw-enables.html

[2]: https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so#potential-impact-of-looney-tunables

[3]: https://www.gnu.org/software/libc/manual/html_node/Tunables.html

[4]: https://nvd.nist.gov/vuln/detail/CVE-2023-4911

[5]: https://thehackernews.com/2023/11/kinsing-actors-exploit-linux-flaw-to.html

[6]: https://thehackernews.com/2023/08/alert-juniper-firewalls-openfire-and.html

[7]: https://blog.aquasec.com/loony-tunables-vulnerability-exploited-by-kinsing

[8]: https://www.trendmicro.com/vinfo/ph/security/news/virtualization-and-cloud/misconfigured-docker-daemon-api-ports-attacked-for-kinsing-malware-campaign

[9]: https://www.akamai.com/blog/security/Kinsing-evolves-adds-windows-to-attack-list

 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

 

 

 

 

 

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!