8 June 2021

Researchers discover new malware targeting Windows containers


Researchers discover new malware targeting Windows containers

Researchers from security firm Palo Alto Networks are warning of a new malware strain, which is targeting Windows containers in order to compromise Kubernetes nodes and open a backdoor to clusters.

Dubbed Siloscape, the malware is the first known malware strain designed to target Windows containers. Siloscape compomises Kubernetes nodes by exploiting known vulnerabilities in web servers and databases.

“Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers,” Unit 42 security researcher Daniel Prizmant wrote.

The malicious attacks were discovered in March 2021 and are believed to have been ongoing for over a year.

To gain initial foothold on the systems, the malware targets common cloud applications such as web servers using known vulnerabilities. It then uses Windows container escape techniques to escape the container and gain code execution on the underlying node. Next, Siloscape uses node's credentials to spread in the cluster and connects to its command and control server using the IRC protocol over the Tor network.

To escape the container, the malware impersonates CExecSvc.exe and then creates a symbolic link to its local containerized X drive to the host's C drive. It then searches for specific Kubernetes files and makes sure it can execute kubectl commands.

“This malware can leverage the computing resources in a Kubernetes cluster for cryptojacking and potentially exfiltrate sensitive data from hundreds of applications running in the compromised clusters,” Prizmant explained.

The researcher noted that Siloscape doesn’t actually do anything that will harm the cluster on its own, its main purpose is to stay undetected and provide a backdoor to the cluster, which allows its operators to perform malicious activities like cryptojacking, etc.

“Siloscape shows us the importance of container security, as the malware wouldn’t be able to cause any significant damage if not for the container escape. It is critical that organizations keep a well-configured and secured cloud environment to protect against such threats,” the researcher said.


Back to the list

Latest Posts

US nuclear weapons contractor Sol Oriens falls victim to REvil ransomware gang

US nuclear weapons contractor Sol Oriens falls victim to REvil ransomware gang

The company said that it became aware of the cyberattack in May and that it is working "to determine the scope of potential data that may have been involved."
16 June 2021
Suspected Chinese hack affected Verizon, Southern California's water supplier

Suspected Chinese hack affected Verizon, Southern California's water supplier

The breach was part of the cyber-espionage campaign involving Pulse Connect Secure networking devices that came to light in April.
16 June 2021
Paradise ransomware source code leaked on XSS hacker forum

Paradise ransomware source code leaked on XSS hacker forum

The analysis of the source code revealed it contained Russian comments, giving an inkling of the origin of a developer behind the ransomware.
16 June 2021