CISA Urges Patching as Hackers Exploit ‘Looney Tunables’ Bug

U.S. federal agencies have until Dec. 12 to patch vulnerable Linux devices on their networks after researchers discovered an actively exploited security flaw.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

The Cybersecurity and Infrastructure Security Agency added the “Looney Tunables” vulnerability, tracked as CVE-2023-4911, to its catalog of known exploited vulnerabilities Tuesday and mandated federal civilian branch agencies to download patches to protect government networks against active threats.

The Looney Tunables flaw was first disclosed in October, and Kinsing threat actors – otherwise known as Money Libra – subsequently used it to target cloud environments with malware attacks. Researchers have spotted Kinsing, a Linux executable and linking format malware program, deployed against containerized environments for cryptocurrency mining.

Red Hat researchers said the vulnerability traces to the GNU C Library, an open-source implementation of the C programming language standard library. The flaw specifically affected an environmental variable called GLIBC_TUNABLES. Threat actors can use the vulnerability to initiate a buffer overflow, flooding the variable with data that exceeds the allocated space and in turn allows unauthorized access to systems and the execution of code with elevated privileges. Kinsing threat actors craft malicious GLIBC_TUNABLES and carry out straightforward attacks across systems without any user interaction.

The threat group has exploited the Looney Tunables flaw to target major Linux distributions in recent attacks, including Debian, Gentoo, Red Hat and Ubuntu. In a blog post, Aqua Security said the Kinsing threat actor poses a “significant threat” to cloud-native environments such as Kubernetes clusters and docker API, as well as Redis and Jenkins servers, among others.

CISA urged private sector organizations to also implement patches against the Looney Tunables vulnerability, warning that known exploits “are frequent attack vectors for malicious cyber actors.”

Cloud security researchers have tracked the malware program and Kinsing threat actors since 2021, when the security firm Sandfly Security observed cryptominers using the Log4j exploit.

Aqua Security also said that Kinsing threat actors typically engage in “fully automated attacks with the primary objective of mining cryptocurrency” but added that researchers have recently observed its operators conducting manual tests, “a deviation from their usual modus operandi.”