CVE-2017-9841

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2017-9841 is a critical vulnerability in the PHP testing framework, PHPUnit. It is a software flaw that allows attackers to gain initial access to systems by exploiting it to download and execute a Perl script, thereby opening a reverse shell on the compromised machine. This vulnerability was actively exploited by Kinsing threat actors, known for their aggressive attacks on cloud infrastructures, who utilized fully automated attacks to mine cryptocurrency. The exploitation of this vulnerability by Kinsing threat actors became more prevalent from 2021 onwards. They leveraged the vulnerability to establish initial access, often opening a reverse shell on port 1337. Once this access was established, they were able to steal cloud service provider secrets, potentially leading to complete system compromise. The exploitation was part of a larger attack pattern that involved the use of another vulnerability, CVE-2023-4911, a buffer overflow vulnerability in the GNU C Library’s dynamic loader, to achieve root privileges on the underlying Linux distribution. To mitigate the risk associated with CVE-2017-9841, security experts recommend swift and decisive measures such as patching, securing credentials, monitoring configurations, and enhancing detection capabilities. These steps are essential in preventing potential breaches that could lead to complete system compromise. Given the active exploitation of this vulnerability, particularly by the Kinsing threat actor, it is crucial for organizations to take these recommendations seriously to protect their cloud infrastructures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Remote Code ...
Loader
Linux
CISA
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KinsingUnspecified
2
Kinsing is a type of malware, malicious software designed to exploit and damage computer systems. It operates by infiltrating systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once embedded within a system, Kinsing can steal personal information, disrupt
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Androxgh0stUnspecified
3
Androxgh0st is a prominent threat actor that has been identified as a significant cybersecurity risk by both the FBI and CISA. Known for its botnet, Androxgh0st has been actively involved in victim identification and exploitation, with several warnings issued to increase awareness and bolster defens
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-4911Unspecified
1
CVE-2023-4911, also known as the "Looney Tunables" vulnerability, is a significant software flaw found in the GNU C Library (glibc), specifically within its dynamic loader ld.so. This buffer overflow issue occurs when processing the GLIBC_TUNABLES environment variable, enabling threat actors to exec
Source Document References
Information about the CVE-2017-9841 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
a month ago
Log4J Still Among Top Exploited Vulnerabilities, Cato Finds
CERT-EU
7 months ago
Looney Tunables bug exploited for cryptojacking - Help Net Security
InfoSecurity-magazine
5 months ago
US Government Urges Action to Mitigate Androxgh0st Malware Threat
CERT-EU
5 months ago
FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft
CERT-EU
7 months ago
Hackers' new favorite: CVE-2023-4911 targeting Debian, Ubuntu and Fedrora servers in the Cloud
CERT-EU
7 months ago
Kinsing Cyberattackers Debut 'Looney Tunables' Cloud Exploits
CERT-EU
5 months ago
Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials
CERT-EU
5 months ago
CISA and FBI Reveal Known Androxgh0st Malware IoCs and TTPs
CERT-EU
4 months ago
Sensor Intel Series: Top CVEs in December 2023
CERT-EU
7 months ago
Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments
CERT-EU
10 months ago
Risk Fact #4: Malware in your Cloud means Exploitation is underway | Qualys Security Blog
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in February 2023 | F5 Labs
DARKReading
5 months ago
CISA: AWS, Microsoft 365 Accounts Under Active 'Androxgh0st' Attack
Securityaffairs
7 months ago
CISA adds Looney Tunables Linux bug to its Known Exploited Vulnerabilities catalog
CERT-EU
a year ago
Sensor Intel Series: Top CVEs in April 2023 | F5 Labs
Securityaffairs
7 months ago
Kinsing threat actors probed the Looney Tunables flaws
CISA
5 months ago
Known Indicators of Compromise Associated with Androxgh0st Malware | CISA
CISA
5 months ago
CISA and FBI Release Known IOCs Associated with Androxgh0st Malware | CISA
CERT-EU
5 months ago
Androxgh0st Malware: SafeBreach Coverage for US-CERT Alert (AA24-016A)
CERT-EU
5 months ago
FBI: Beware of cloud-credential thieves building botnets