Protecting the Digital Domain, Cryptography’s Role in Information Security
November 22, 2023
What Is Kerberos? How Does Kerberos Work?
November 22, 2023
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive instructing U.S. federal agencies to take urgent steps to protect their systems against a critical Linux vulnerability known as 'Looney Tunables.' Discovered by Qualys' Threat Research Unit and tracked as CVE-2023-4911, this vulnerability exposes a buffer overflow issue in the GNU C Library's ld. so dynamic loader.
The security flaw extends its impact to the most recent releases of widely used Linux platforms, including Fedora, Ubuntu, and Debian in their default configurations. System administrators are strongly instructed to patch their systems promptly, as the vulnerability is actively exploited, with proof-of-concept (PoC) exploits circulating online since its disclosure in early October.
Qualys' Saeed Abbasi emphasized the urgency, stating, "With the ability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it's imperative for system administrators to act swiftly.
CISA has added this actively exploited Linux flaw to its Known Exploited Vulnerabilities Catalog, where it is classified "frequent attack vector for malicious cyber actors" and acknowledges its "significant risks to the federal enterprise." U.S. Federal Civilian Executive Branch Agencies (FCEB) must adhere to a December 12 deadline, set by a binding operational directive (BOD 22-01) published a year ago.
While the primary focus of BOD 22-01 is on U.S. federal agencies, CISA extends its recommendation to all organizations, including private companies, urging them to prioritize patching the 'Looney Tunables' security flaw immediately.
Security researchers from Aqua Nautilus revealed that Kinsing malware operators exploit the 'Looney Tunables' weakness in attacks targeting cloud environments. Beginning with the exploitation of a known vulnerability in the PHP testing framework 'PHPUnit,' threat actors then escalate privileges using the Linux vulnerability. Once root access has been secured, a JavaScript web shell is installed for backdoor access, enabling the execution of commands and unauthorized management of files.
Kinsing is notorious for breaching and deploying crypto mining software on cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins. Recent observations by Microsoft highlight the group targeting Kubernetes clusters via misconfigured PostgreSQL containers, while TrendMicro reports exploitation of the critical CVE-2023-46604 Apache ActiveMQ bug to compromise Linux systems. The ultimate aim of these attacks is to steal cloud service provider (CSP) credentials, specifically targeting AWS instance identity data.
