The Kinsing Actor Exploiting a New Linux Flaw to Breach Cloud Environments

Nov 03, 2023NewsroomCloud Security / Linux

Disadvantages of Linux

Threat actors linked to Kinsing have been observed attempting to exploit a recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a “new experimental campaign” designed to breach cloud environments.

“Interestingly, the attacker also expanded the horizons of their native cloud attack by obtaining credentials from the Cloud Service Provider (CSP),” cloud security company Aqua SAYS in a report shared by The Hacker News.

The development marks the first publicly documented instance of active exploitation of Looney Tunables (CVE-2023-4911), which can allow a threat actor to gain root privileges.


Kinsing actors have a track record of being opportunistic and rapidly adapting their attack chains to exploit newly disclosed security flaws to their advantage, most recently weaponizing a serious bug in Openfire (CVE-2023-32315) to achieve remote code execution.

The latest set of attacks involves exploiting a critical remote code execution flaw in PHPUnit (CVE-2017-9841), a tactic IDENTIFIED to be worked through cryptojacking group since at least 2021, to gain initial access.

Disadvantages of Linux

This is followed by manually scanning the victim’s environment for Looney Tunables using a Python-based exploit PUBLISHED by a researcher who goes by an alias bl4sty on X (formerly Twitter).

“Subsequently, Kinsing took and implemented additional PHP exploits,” Aqua said. “At first, the exploit was hidden; however, upon de-obfuscation, it revealed itself to be a JavaScript designed for further exploitative activities.”

The JavaScript code, for its part, is a web shell that provides backdoor access to the server, which enables the enemy to perform file management, execute commands, and gather additional information about the machine it is running on.


The ultimate goal of the attack appears to be to obtain credentials associated with the cloud service provider for a series of attacks, a significant tactical shift from its pattern of Kinsing deployments. malware and launching a cryptocurrency miner.

“This marks Kinsing’s inaugural time actively seeking to collect such information,” the company said.

“This recent development suggests a potential expansion of their operational scope, indicating that Kinsing’s operations may diversify and intensify in the near future, thus posing an additional threat to the cloud- native environment.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment