Organizations running Windows containers in a Kubernetes cluster need to worry about new threats.
Palo Alto Networks (PAN) researchers discovered what they said was the first known malware targeting Windows containers. The malware is called Siloscape and is designed to escape from Windows containers to Kubernetes nodes so that it can spread in the cluster.
Attackers can use malware to perform various malicious operations, such as stealing credentials and data, deploying ransomware, and disrupting enterprise software development and testing environments.
According to Daniel Prizmant, a senior researcher on PAN’s Unit 42 threat intelligence team, malware is a manifestation of attackers’ increasing attention to the cloud environment. “Attackers are undergoing their own digital transformation and are taking advantage of the large-scale transformation of enterprises to new technologies such as cloud and containers,” he said. “Therefore, container safety becomes very important.”
Prizmant describes Siloscape as a highly obfuscated malware whose main purpose is to open a backdoor into an improperly configured Kubernetes cluster to run malicious containers. To this end, it first targets known vulnerabilities in common cloud applications (such as web servers) to gain initial access to Windows containers. Then it uses Windows container escaping technology to get rid of the container and gain code execution access to the underlying node. According to PAN, there are several ways to escape Windows containers. The security vendor stated in its report that Soloscape uses a technique called thread simulation, which has little documentation and even fewer working examples.
The malware verifies that the infected node has the necessary permissions to create a new Kubernetes deployment. Then Siloscape connects to the command and control server through the Tor network and executes the commands it receives. Unlike other malware, Siloscape does not contain functions that harm the Kubernetes cluster itself. According to the PAN report, its main function is to silently open a backdoor on the cluster, which can then be used by attackers for different malicious purposes.
“Because Siloscape opens a backdoor to the Kubernetes cluster, it allows an attacker to access and run any code anywhere on the victim’s cluster,” Prizmant said. “For example, attackers can use computing power for cryptojacking, or they can use it as part of a botnet for future DDoS attacks.”
Similarly, an attacker can use a backdoor to install malware to steal the victim’s internal data, including code, container images, and databases. Attackers can also use access rights to create ransomware attacks by locking and encrypting the cluster, or they can modify the cluster to attack other victims. “If the cluster runs a web server, an attacker can modify it and attack all its users by changing the server code,” Prizmant said.
PAN stated that its investigation of the C2 server revealed at least 23 active Siloscape victims. The analysis also showed that the C2 server was used to host more than 300 users in total. The security vendor said that the data showed that Siloscape is only part of a broader campaign for enterprise cloud environments, which has been going on for more than a year.
Prizmant said that organizations that use Windows containers to run online applications, such as web servers, face the greatest risk. He said that a well-configured and secure Kubernetes cluster will make Siloscape’s life more difficult. This is because even if the malware manages to escape the container, it cannot control the cluster.
He suggested that organizations running Windows containers should use Kubernetes authorization modules (such as role-based access control) to restrict the permissions of each node. Prizmant added that users should not run anything in a Windows container that they don’t want to run as an administrator on the host system.
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the IT trade news field. He recently served as the senior editor of Computerworld, responsible for the information security and data privacy issues of the publication.In the course of his 20 years… view the complete bio