Governance & Risk Management , Patch Management

CISA Urges Patching as Hackers Exploit 'Looney Tunables' Bug

Kinsing Threat Actor Observed Targeting Vulnerable Cloud Environments With New Flaw
CISA Urges Patching as Hackers Exploit 'Looney Tunables' Bug
CISA adds Looney Tunables flaw affecting Linux systems to known exploited vulnerabilities catalog. (Image: Shutterstock)

U.S. federal agencies have until Dec. 12 to patch vulnerable Linux devices on their networks after researchers discovered an actively exploited security flaw.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The Cybersecurity and Infrastructure Security Agency added the "Looney Tunables" vulnerability, tracked as CVE-2023-4911, to its catalog of known exploited vulnerabilities Tuesday and mandated federal civilian branch agencies to download patches to protect government networks against active threats.

The Looney Tunables flaw was first disclosed in October, and Kinsing threat actors - otherwise known as Money Libra - subsequently used it to target cloud environments with malware attacks. Researchers have spotted Kinsing, a Linux executable and linking format malware program, deployed against containerized environments for cryptocurrency mining.

Red Hat researchers said the vulnerability traces to the GNU C Library, an open-source implementation of the C programming language standard library. The flaw specifically affected an environmental variable called GLIBC_TUNABLES. Threat actors can use the vulnerability to initiate a buffer overflow, flooding the variable with data that exceeds the allocated space and in turn allows unauthorized access to systems and the execution of code with elevated privileges. Kinsing threat actors craft malicious GLIBC_TUNABLES and carry out straightforward attacks across systems without any user interaction.

The threat group has exploited the Looney Tunables flaw to target major Linux distributions in recent attacks, including Debian, Gentoo, Red Hat and Ubuntu. In a blog post, Aqua Security said the Kinsing threat actor poses a "significant threat" to cloud-native environments such as Kubernetes clusters and docker API, as well as Redis and Jenkins servers, among others.

CISA urged private sector organizations to also implement patches against the Looney Tunables vulnerability, warning that known exploits "are frequent attack vectors for malicious cyber actors."

Cloud security researchers have tracked the malware program and Kinsing threat actors since 2021, when the security firm Sandfly Security observed cryptominers using the Log4j exploit.

Aqua Security also said that Kinsing threat actors typically engage in "fully automated attacks with the primary objective of mining cryptocurrency" but added that researchers have recently observed its operators conducting manual tests, "a deviation from their usual modus operandi."

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.