[German]Security researchers from Palo Alto Networks are sounding the alarm, having encountered malware called Siloscape. The malware attempts to compromise Windows containers running in Kubernetes clusters in the cloud. It then attempts to infiltrate all containers in the Kubernetes cluster. While this was previously only known to affect Linux, a malware called Siloscape is now also infecting Windows systems.
Advertising
Palo Alto Networks' Unit 42 malware research team released an investigative report detailing the first known malware targeting Windows containers.
What is Kubernetes
Kubernetes is an open-source system for automating the deployment, scaling and management of container applications, originally designed by Google and handed over to the Cloud Native Computing Foundation (CNCF)to run. Kubernetes aims to provide a "platform for automating the provisioning, scaling and maintenance of application containers on distributed hosts." It supports a range of container tools, including Docker. Orchestration using Kubernetes is supported by leading cloud platforms such as Microsoft Azure, IBM Cloud, Red Hat OpenShift, Amazon's EKS, Google's Kubernetes Engine and Oracle's OCI.
The Siloscape malware
The researchers named the malware Siloscape because its primary goal is to escape from the container. Siloscape is a highly obfuscated malware that targets Kubernetes clusters via Windows containers. The malware uses Tor proxy and a .onion domain to anonymously connect to its command-and-control (C2) server. Its main goal is to open a backdoor into poorly configured Kubernetes clusters to compromise containers.
Compromising an entire cluster is much more serious than compromising a single container. This is because a Kubernetes cluster could be running multiple cloud applications, while a single container typically contains only a single cloud application. If the compromise succeeds, for example, the attacker could steal critical information such as usernames and passwords, a company's confidential files, or even entire databases hosted in the cluster.
Such an attack could even be used as a ransomware attack by encrypting the company's files. Even worse, with the shift to the cloud, many companies are using Kubernetes clusters as development and testing environments. A breach of such an environment can lead to devastating attacks on the software supply chain.
Gained access to C&C server
Unit 42 security researchers managed to gain access to the C&C server. They identified 23 active Siloscape victims and discovered that the server was used for a total of 313 users. This indicates that Siloscape was a small part of a larger campaign. They also found out that this campaign has been running for more than a year. The malware is characterized by several behaviors and techniques:
Advertising
- Targets common cloud applications such as web servers for initial access, exploiting known vulnerabilities ("0-days") – presumably ones for which a working exploit exists in the wild.
- Uses Windows container escape techniques to escape the container and gain code execution on the underlying node.
- Attempts to abuse the node's credentials to propagate in the cluster.
- Connects to its C2 server using the IRC protocol over the Tor network and waits for further commands.
This malware can use the computational resources in a Kubernetes cluster for cryptojacking and potentially exfiltrate sensitive data from hundreds of applications running in the compromised clusters.
Unlike most cloud malware, which focuses predominantly on resource hijacking and denial of service (DoS), Siloscape does not limit itself to a specific target. Instead, it opens a backdoor to all kinds of malicious activity.
As described in a previous Unit 42 post, users should follow Microsoft's guidelines and not use Windows containers as a security feature. Microsoft recommends using only Hyper-V containers for anything that relies on containerization as a security boundary. Any process running in Windows Server containers should be assumed to have the same permissions as the administrator on the host, which in this case is the Kubernetes node. If organizations are running applications in Windows Server containers that need to be secured, Unit 42 recommends moving those applications to Hyper-V containers.
Administrators should also ensure their Kubernetes cluster is securely configured. A secured Kubernetes cluster is not as vulnerable to this particular malware because node permissions are not sufficient to create new deployments. In this case, Siloscape is terminated. Siloscape shows the importance of container security, as it could not do significant damage without the container outbreak. It is important that organizations maintain a well-configured and secured cloud environment to protect against such threats. More details can be found in this post and this report.
