A Malware has been discovered, first known one targeting Windows containers. Named Siloscape because its primary goal is to escape the container, and in Windows this is mainly done through a server silo . Siloscape is heavily disguised malware that targets Kubernetes clusters through Windows containers. Their main goal is to open a back door into poorly configured Kubernetes clusters to run malicious containers .
The compromise of an entire cluster is much more serious than that of a single container, as a cluster could run multiple cloud applications, while a single container typically only runs a single cloud application. Worse is that the move to the cloud, many companies are using Kubernetes clustersuse as development and test environments. A breach of such an environment can lead to devastating attacks on the software supply chain.
Siloscape uses the Tor proxy and an .onion domain to anonymously connect to their command and control server (C2). The researchers managed to gain access to this server. They identified 23 active Siloscape victims and discovered that the server was being used for a total of 313 users, suggesting that Siloscape was a small part of a broader campaign. They also found that this campaign has been running for more than a year.
The (Malware) is characterized by several behaviors and techniques:
- Aims for initial access to common cloud applications such as web servers and uses known vulnerabilities (“1-days”) – presumably those for which a functioning exploit exists in the wild.
- Uses Windows container escape techniques to escape the container and gain code execution on the underlying node.
- Tried to misuse the node’s credentials to spread across the cluster.
- Connects to its C2 server over the Tor network using the IRC protocol.
- Wait for further orders.
This malware can use the computing resources in a Kubernetes cluster for cryptojacking and exfiltrate potentially sensitive data from hundreds of applications running in the compromised clusters.
The examination of the C2 server showed that this malware is only a small part of a larger network and that this campaign has been running for over a year with active victims.
Unlike most cloud malware, which is largely focused on resource hijacking and denial of service (DoS), Siloscape does not limit itself to any specific target. Instead, it opens a back door for all kinds of malicious activity.
Guidelines to be followed as per Microsoft and Administrators should also ensure that their Kubernetes cluster is configured securely. A secured Kubernetes cluster is not as susceptible to this particular malware because the nodes do not have sufficient permissions to create new deployments.