Connect with us

Hi, what are you looking for?


Cloud Security

‘Looney Tunables’ Glibc Vulnerability Exploited in Cloud Attacks 

Glibc vulnerability affecting major Linux distributions and tracked as Looney Tunables exploited in cloud attacks by Kinsing group. 

Looney Tunables vulnerability exploited

A serious privilege escalation vulnerability patched recently in the GNU C Library (glibc) has been exploited in cloud attacks by a threat group known for the use of the Kinsing malware and for its cryptojacking operations.  

The security hole, tracked as CVE-2023-4911 and named Looney Tunables, has been found to impact major Linux distributions, including Debian, Gentoo, Red Hat, and Ubuntu. It allows a local attacker to execute arbitrary code with elevated privileges.

According to cloud security firm Aqua Security, the group behind Kinsing, which is tracked by Palo Alto Networks as Money Libra, has exploited the Looney Tunables vulnerability in recent attacks.

The Kinsing group has been known for deploying its Linux malware in container environments, its ultimate goal being the delivery of cryptocurrency miners. The threat actor poses a significant threat to Kubernetes, Docker, Jenkins and Redis servers, and it was recently observed targeting Openfire servers via a vulnerability tracked as CVE-2023-32315.

In the recent attacks seen by Aqua Security, the Kinsing hackers exploited a PHPUnit vulnerability tracked as CVE-2017-9841 for initial access.

The attackers then conducted manual tests — this represents a deviation from their typical modus operandi — and this included attempts to exploit the Looney Tunables vulnerability, which can be leveraged to gain root access to the system. They targeted the flaw using a publicly available PoC exploit.

The hackers then downloaded additional scripts providing backdoor access to the server and enabling them to obtain information, particularly credentials associated with the Cloud Service Provider (CSP).

“From what we know, this is the first time Kinsing has tried to collect this kind of information,” Aqua Security noted. “Before, they mostly focused on spreading their malware and running a cryptominer, often trying to increase their chances to succeed by eliminating competition or evading detection. This, however, new move shows that Kinsing might be planning to do more varied and intense activities soon, which could mean a bigger risk for systems and services that run on the cloud.”

Advertisement. Scroll to continue reading.

The security firm has shared indicators of compromise (IoCs), MITRE ATT&CK mapping, and recommendations for preventing and detecting these types of attacks.

Related: Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution

Related: Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data

Related: StackRot Linux Kernel Vulnerability Shows Exploitability of UAFBR Bugs

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.