The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a “new experimental campaign” designed to breach cloud environments.
“Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP),” cloud security firm Aqua said in a report shared with The Hacker News.
Kinsing actors have a track record of opportunistically and swiftly adapting their attack chains to exploit newly disclosed security flaws to their advantage, having most recently weaponized a high-severity bug in Openfire (CVE-2023-32315) to achieve remote code execution.
The latest set of attacks entails exploiting a critical remote code execution shortcoming in PHPUnit (CVE-2017-9841), a tactic known to be employed by the cryptojacking group since at least 2021, to obtain initial access.
The end goal of the attack appears to be to extract credentials associated with the cloud service provider for follow-on attacks, a significant tactical shift from its pattern of deploying the Kinsing malware and launching a cryptocurrency miner.
“This marks the inaugural instance of Kinsing actively seeking to gather such information,” the company said.
“This recent development suggests a potential broadening of their operational scope, signaling that the Kinsing operation may diversify and intensify in the near future, thereby posing an increased threat to cloud-native environments.”