Kinsing Cyberattackers Debut Looney Tunables Cloud Exploits

Admins need to patch immediately, as the prolific cybercrime group pivots from cryptomining to going after cloud secrets and credentials.

An exploit for the recently disclosed
Looney Tunables security vulnerability
, which could allow cyberattackers to gain root privileges on millions of Linux systems, is making the rounds in attacks on cloud servers from the Kinsing cybercrime group, researchers are warning.
And it represents a concerning pivot in tactics for the cloud-attack specialist group.
Researchers from Aqua Nautilus have flagged Kinsings experimental incursions into cloud environments using the bug (CVE-2023-4911, CVSS 7.8), which is a buffer overflow flaw for privilege escalation in the commonly used GNU C Library (glibc) used in most major distributions of the open source operating system (OS).
We have uncovered the threat actors manual efforts to [carry out attacks], according to an alert from the security firm issued on Nov. 3. This marks the first documented instance of such an exploit, to the best of our knowledge.
Saeed Abbasi, manager of vulnerability and threat research at Qualys, noted that the development should spur immediate action from cloud security teams and administrators.
The Looney Tunables vulnerability presents an urgent and severe security risk with widespread implications across millions of Linux systems, he said in an emailed statement. The active exploitation by the Kinsing threat actor, known for their aggressive attacks on cloud infrastructures, heightens the threat level.
He noted that ... quick and decisive measures are critical; patching, securing credentials, monitoring configurations, and enhancing detection capabilities are not just recommended, but essential to fend off potential breaches that could lead to complete system compromise.
Once the Kinsing attackers establish initial access via a known PHPUnit vulnerability (CVE-2017-9841), they open a reverse shell on port 1337. From there, they use manually crafted shell commands to hunt for and exploit the Looney Tunables bug for privilege escalation — and, ultimately, carry out credential and secrets theft.
Aqua Nautilus warned that the type of data that could be stolen in a successful attack include:
Temporary Security Credentials
: these can provide full access to AWS resources if the associated role has broad permissions;
IAM Role Credentials
: these are used to grant permissions to the instance and any applications running on it to interact with other AWS services;
Instance Identity Tokens
: these are used to prove the identity of the instance when interacting with AWS services and for signing API requests.
This new move shows that Kinsing might be planning to do more varied and intense activities soon, which is a strategic shift [that] marks a significant development in their approach.
The Kinsing group is known as an
ongoing threat to containers and cloud-native environments
, particularly
Kubernetes clusters
, the Docker API, Redis servers, Jenkins servers, and more, typically by
exploiting recent vulnerabilities
and cloud misconfigurations.
While the targets in this latest round of attacks are familiar, the manual probing for Looney Tunables by Kinsing members is a deviation from the groups usual modus operandi, according to Aqua Nautilus. In the past, Kinsing has typically gained initial access on a targeted cloud instance before deploying fully automated attacks with the
primary objective of cryptojacking
.
The manual trial-and-error testing is a precursor to Kinsings sinister intentions to broaden the scope of their automated attacks, specifically targeting cloud-native environments, Aqua Nautilus researchers warned.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Kinsing Cyberattackers Debut Looney Tunables Cloud Exploits