{
	"id": "271a668a-4e66-4221-ac13-34b88eb1e046",
	"created_at": "2026-04-06T00:22:27.176495Z",
	"updated_at": "2026-04-10T03:34:59.835913Z",
	"deleted_at": null,
	"sha1_hash": "e4257eef53d49415b7cc6813b879bcf0fbc5a2a7",
	"title": "Looney Tunables Vulnerability Exploited by Kinsing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 572374,
	"plain_text": "Looney Tunables Vulnerability Exploited by Kinsing\r\nBy Assaf Morag\r\nPublished: 2023-11-03 · Archived: 2026-04-05 18:59:21 UTC\r\nResearchers from Aqua Nautilus have successfully intercepted Kinsing’s experimental incursions into cloud\r\nenvironments. Utilizing a rudimentary yet typical PHPUnit vulnerability exploit attack, a component of Kinsing’s\r\nongoing campaign, we have uncovered the threat actor’s manual efforts to manipulate the Looney Tunables\r\nvulnerability (CVE-2023-4911). This marks the first documented instance of such an exploit, to the best of our\r\nknowledge. Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting\r\ncredentials from the Cloud Service Provider (CSP). In this blog post, we delve deeper into the Kinsing campaign\r\nand its operations, highlighting the novelties in this particular attack and emphasizing the critical importance of\r\nvigilance and heightened awareness in the face of these evolving threats.\r\nKinsing Threat Actor: A Brief Overview\r\nThe Kinsing threat actor represents a significant threat to cloud-native environments, particularly Kubernetes\r\nclusters, docker API, Redis servers, Jenkins servers and others. Their ability to quickly adapt to new\r\nvulnerabilities and their persistent efforts to exploit misconfigurations make them a formidable adversary. The\r\nthreat actor has been actively involved in cryptojacking operations. Aqua Nautilus researchers and other\r\ncybersecurity experts have been tracking their activities to understand their tactics, techniques, and procedures\r\n(TTPs).\r\nKinsing has a storied history of targeting containerized environments. They have been known to leverage\r\nmisconfigured open Docker daemon API ports and exploit newly disclosed vulnerabilities to deploy\r\ncryptocurrency mining software. Their operations are characterized by their agility in adapting to new\r\nvulnerabilities and their persistent efforts to exploit cloud-native environments.\r\nRecently, Kinsing has been observed exploiting vulnerable Openfire servers. This actually a robust modus\r\noperandi of Kinsing, namely to promptly append to its arsenal exploits of newly discovered vulnerabilities. In\r\naddition, Microsoft Defender for Cloud has reported a large number of clusters infected due to misconfigurations\r\nin PostgreSQL servers and four other vulnerable container images (PHPUnit, Weblogic, Liferay and WordPress).\r\nThe threat actor has been found employing rootkits to hide its presence on infected systems, and they actively\r\nterminate and uninstall competing resource-intensive services and processes to maximize their mining efficiency.\r\nTheir recent campaigns have also involved scanning for open default WebLogic ports to execute shell commands\r\nand launch malware.\r\nWhat leads us to attribute this activity to Kinsing? At this time we’re 100% certain that this is Kinsing, but not\r\nready to disclose how just yet. In an upcoming report dedicated to Kinsing, we intend to unveil the enigma\r\nsurrounding this case. This forthcoming publication will provide a comprehensive analysis, demonstrating the\r\nmethodologies and evidence that enabled us to conclusively link this attack to the Kinsing threat actor.\r\nhttps://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/\r\nPage 1 of 7\n\nThe Newest Attack Intercepted\r\nThe Kinsing threat actor has a history of exploiting the PHPUnit vulnerability (CVE-2017-9841), a tactic that is\r\nwell-documented. Typically, Kinsing engages in fully automated attacks with the primary objective of mining\r\ncryptocurrency. However, in this recent discovery, we observed Kinsing conducting manual tests, a deviation from\r\ntheir usual modus operandi.\r\nThese tests were aimed at probing the Looney Tunables vulnerabilities (CVE-2023-4911), providing us with\r\nvaluable insights into their operations. Below, we delve deeper into this matter, shedding light on Kinsing’s\r\nsinister intentions to broaden the scope of their automated attacks, specifically targeting cloud-native\r\nenvironments. This strategic shift marks a significant development in their approach, underscoring the need for\r\nheightened vigilance and robust security measures.\r\nAttack flow\r\nThe initial access was conducted by exploitation of the PHPUnit vulnerability (CVE-2017-9841).\r\nFigure 1: Exploitation of the PHPUnit vulnerability as recorded in one of our honeypots\r\nAs illustrated in figure 1 above, Kinsing downloads and runs the Perl script bc.pl . Which is actually the script\r\nin figure 2 below. Which opens a reverse shell on port 1337.\r\nFigure 2: The initial payload that creates a reverse shell to Kinsing’s C2 server\r\nIn Figure 3 presented below, the manually crafted and tested shell commands executed by the Kinsing threat actor\r\nare displayed. It is important to note that the process to arrive at these commands involved extensive trial and\r\nerror, which has been excluded from the screenshot for clarity. Only the pertinent commands have been retained.\r\nhttps://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/\r\nPage 2 of 7\n\nFigure 3: Shell commands manually written by the Kinsing threat actor\r\nBelow is a further explanation of the manual commands:\r\n1. Getting the kernel name and hostname by using the uname −a command.\r\n2. Getting the user account information by using the passwd command.\r\n3. Starts a new interactive shell session. The -i  flag ensures that the shell is interactive, meaning it can\r\nreceive and execute commands from the user. This command failed and the threat actor is trying to get root\r\nprivileges on the system.\r\n4. Creating a directory under /tmp .\r\n5. Downloads the script gnu-acme.py , which is actually an exploit of the Looney Tunables vulnerability\r\n(CVE-2023-4911), further explained below.\r\n6. Trying to list environmental variables.\r\n7. Downloading and running a php script which deploys a JS file.\r\nLooney Tunables is a high-severity vulnerability resides in the GNU C Library (glibc), specifically targeting its\r\ndynamic loader, ld.s o. Identified under the CVE-2023-4911, this vulnerability is a ticking time bomb due to its\r\npotential for local privilege escalation, allowing attackers to gain root access to affected systems. The crux of the\r\nissue lies in a buffer overflow problem within the handling of the GLIBC_TUNABLES environment variable by\r\nld.so .\r\nIn this particular attack, Kinsing proceeds to retrieve an exploit directly from @bl4sty website. On his site,\r\n@bl4sty elucidates that the exploit is a Linux local privilege escalation exploit targeting the Looney\r\nTunables vulnerability (CVE-2023-4911) found in GNU libc’s ld.so.\r\nHe further clarifies that the exploit is grounded in the exploitation methodology detailed in the Qualys writeup,\r\nasserting its compatibility with x86(_64) and aarch64 architectures, and highlighting its potential for extension\r\nthrough the addition of new target offsets. The script is accessible for review here.\r\nSubsequently, Kinsing fetches and executes an additional PHP exploit. Initially, the exploit is obfuscated;\r\nhowever, upon de-obfuscation, it reveals itself to be a JavaScript designed for further exploitative activities.\r\nIllustrations of both scripts are provided in Figures 4 and 5, respectively, found below.\r\nhttps://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/\r\nPage 3 of 7\n\nFigure 4: Obfuscated PHP script\r\nFigure 5: De-obfuscated PHP script to download backdoor\r\nThe wesobase.js script is encoded (base64), after it is decoded, it appears the file is a mix of PHP and\r\nJavaScript code, creating a web shell backdoor allowing further unauthorized access to the server. Below are some\r\nkey features:\r\n1. Password Protection: The script includes a password mechanism to restrict access.\r\n2. File Management: There are functions for listing files, editing files, and other file-related operations.\r\n3. Command Execution: The script allows for the execution of arbitrary commands on the server.\r\n4. Network Interactions: There are functionalities for making network requests, binding to ports, and back-connecting to remote servers.\r\n5. Encryption and Decryption: There are references to encryption and decryption functions, suggesting that\r\nthe script may handle sensitive data.\r\n6. Server Information: The script collects and displays information about the server it is running on.\r\n7. User-Agent Handling: The script checks the user agent of the client making requests to it.\r\n8. Character Set Conversion: There is functionality for handling character set conversions.\r\nUltimately, it becomes apparent that Kinsing is attempting to enumerate the details and credentials associated with\r\nthe Cloud Service Provider (CSP). As depicted in figure 6 below, in our case Kinsing it trying to obtain the AWS\r\ninstance identity which can lead to the exposure of credentials associated with the instance metadata service, like\r\nthe one available at http://169.254.169.254/latest/latest/dynamic/instance-identity/document , can be\r\nhighly risky, especially in cloud environments. The types of credentials and sensitive data that can be exposed\r\ninclude:\r\n1. Temporary Security Credentials: These are provided by the AWS Security Token Service (STS) and are\r\nused by applications running on the instance to perform actions with AWS services. They are temporary by\r\nnature but can provide full access to AWS resources if the associated role has broad permissions.\r\nhttps://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/\r\nPage 4 of 7\n\n2. IAM Role Credentials: If an EC2 instance is assigned an IAM role, the credentials for this role can be\r\naccessed through the metadata service. These credentials are used to grant permissions to the instance and\r\nany applications running on it to interact with other AWS services.\r\n3. Instance Identity Tokens: These tokens are used to prove the identity of the instance when interacting\r\nwith AWS services and for signing API requests.\r\nFigure 6: Attempt to collect AWS metadata\r\nFrom what we know, this is the first time Kinsing has tried to collect this kind of information. Before, they mostly\r\nfocused on spreading their malware and running a cryptominer, often trying to increase their chances to succeed\r\nby eliminating competition or evading detection. This, however, new move shows that Kinsing might be planning\r\nto do more varied and intense activities soon, which could mean a bigger risk for systems and services that run on\r\nthe cloud.\r\nMapping the Campaign to the MITRE ATT\u0026CK Framework\r\nOur investigation showed that the attackers have been using some common techniques throughout the campaign.\r\nHowever, the defense evasion tactics have evolved:\r\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense\r\nevasion\r\nCredential\r\nAccess\r\nDiscovery\r\nExploit\r\nPublic-Facing\r\nApplication\r\n(T1190)\r\ncommand\r\nand\r\nscripting\r\ninterpreter\r\n(T1059)\r\nServer\r\nSoftware\r\nComponent\r\n(T1505)\r\nExploitation\r\nfor Privilege\r\nEscalation\r\n(T1068)\r\nObfuscated\r\nFiles or\r\nInformation\r\n(T1027)\r\nOS\r\nCredential\r\nDumping\r\n(T1003)\r\nSystem\r\nInformation\r\nDiscovery\r\n(T1082)\r\nFile and\r\nDirectory\r\nDiscovery\r\n(T1083)\r\nSummary, Detection, and Mitigation\r\nhttps://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/\r\nPage 5 of 7\n\nThe Aqua Nautilus research team has intercepted and analyzed a new experimental campaign by the Kinsing\r\nthreat actor targeting cloud environments. Kinsing, known for its agility in exploiting vulnerabilities and\r\nmisconfigurations in cloud-native environments, has shifted its tactics in this campaign. The threat actor manually\r\nexploited the Looney Tunables vulnerability (CVE-2023-4911) in GNU libc’s ld.so, marking the first known\r\ninstance of such an exploit. Additionally, Kinsing is expanding its operations by attempting to collect credentials\r\nfrom Cloud Service Providers (CSPs), indicating a potential broadening of their operational scope and an\r\nincreased threat to cloud-native environments.\r\nVulnerability Patching\r\nEnsure that all systems are up-to-date and patched, particularly focusing on known vulnerabilities like PHPUnit\r\n(CVE-2017-9841) and Looney Tunables (CVE-2023-4911).\r\nWe at Aqua Security emphasizes the importance of scanning container images to identify and mitigate\r\nvulnerabilities that could be exploited by threat actors like Kinsing. By using Aqua’s CNAPP platform,\r\norganizations can proactively detect known vulnerabilities in their container images. This process is crucial in\r\nensuring that all deployed containers are secure and free from exploitable flaws.\r\nAqua Security recommends conducting thorough reviews of authorization and authentication policies, adjusting\r\nthem according to the principle of least privilege. Additionally, it is vital to be familiar with the images in use,\r\nensuring they are configured with minimal privileges, and avoiding the use of root user and privileged mode\r\nwherever possible. By implementing these practices, organizations can significantly reduce the attack surface and\r\nprotect their cloud-native environments from threats like Kinsing.\r\nMonitoring and Detection\r\nEnhance monitoring capabilities to detect unusual activities, such as manual command executions, attempts to\r\naccess or enumerate CSP credentials, and the execution of known malicious scripts. \r\nWhile vulnerability scanning is an essential preventative measure, Aqua Security also highlights the importance of\r\nruntime protection to defend against sophisticated attacks that may bypass initial security measures.\r\nCloud-Native Detection and Response (CNDR) solutions play a critical role in this aspect, providing real-time\r\nmonitoring and detection of malicious activities within the cloud environment. By continuously analyzing the\r\nbehavior of running containers and applications, CNDR solutions can identify and respond to anomalies that may\r\nindicate a compromise, such as the manual command executions and lateral movements commonly associated\r\nwith Kinsing attacks. Implementing a CNDR solution enhances an organization’s ability to detect and mitigate\r\nthreats in real-time, ensuring a robust security posture even in the face of advanced and persistent threats.\r\nBy combining vulnerability scanning with runtime protection through CNDR, organizations can establish a\r\ncomprehensive security strategy, effectively mitigating the risk of Kinsing attacks and protecting their cloud-native environments.\r\nIndications of Compromise (IOCs)\r\nhttps://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/\r\nPage 6 of 7\n\nType Value Notes\r\nIP address\r\nIP address 194.233.65.92 Kinsing’s attacker IP address\r\nDomain\r\nhaxx.in CVE-2023-4911 Exploit download site\r\nFiles\r\nPython MD5: ea685e738adedc02ca1a63ebe8ed939eCVE-2023-4911 Exploit\r\nPython MD5: ea685e738adedc02ca1a63ebe8ed939eCVE-2023-4911 Exploit\r\nPHP MD5: 9a868bb2456bcde27cde7985145ef6fc PHP exploit\r\nJS MD5: 5dce322f5284213912012e7ba2440da0 JS backdoor\r\nPerl MD5: 5d3c00b79be956d4175d0d5fd1d4f1f9 Reverse shell script\r\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence\r\nrelated to software development life cycle in cloud native environments, supports the team's data needs, and helps\r\nAqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research\r\nhas been featured in leading information security publications and journals worldwide, and he has presented at\r\nleading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE\r\nATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The\r\ncourse covers both theoretical concepts and practical applications, providing valuable insights into the unique\r\nchallenges and strategies associated with securing cloud-native infrastructures.\r\nSource: https://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/\r\nhttps://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/"
	],
	"report_names": [
		"loony-tunables-vulnerability-exploited-by-kinsing"
	],
	"threat_actors": [
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434947,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4257eef53d49415b7cc6813b879bcf0fbc5a2a7.pdf",
		"text": "https://archive.orkl.eu/e4257eef53d49415b7cc6813b879bcf0fbc5a2a7.txt",
		"img": "https://archive.orkl.eu/e4257eef53d49415b7cc6813b879bcf0fbc5a2a7.jpg"
	}
}