Researchers from security firm Palo Alto Networks are warning of a new malware strain, which is targeting Windows containers in order to compromise Kubernetes nodes and open a backdoor to clusters.
Dubbed Siloscape, the malware is the first known malware strain designed to target Windows containers. Siloscape compomises Kubernetes nodes by exploiting known vulnerabilities in web servers and databases.
“Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers,” Unit 42 security researcher Daniel Prizmant wrote.
The malicious attacks were discovered in March 2021 and are believed to have been ongoing for over a year.
To gain initial foothold on the systems, the malware targets common cloud applications such as web servers using known vulnerabilities. It then uses Windows container escape techniques to escape the container and gain code execution on the underlying node. Next, Siloscape uses node's credentials to spread in the cluster and connects to its command and control server using the IRC protocol over the Tor network.
To escape the container, the malware impersonates CExecSvc.exe and then creates a symbolic link to its local containerized X drive to the host's C drive. It then searches for specific Kubernetes files and makes sure it can execute kubectl commands.
“This malware can leverage the computing resources in a Kubernetes cluster for cryptojacking and potentially exfiltrate sensitive data from hundreds of applications running in the compromised clusters,” Prizmant explained.
The researcher noted that Siloscape doesn’t actually do anything that will harm the cluster on its own, its main purpose is to stay undetected and provide a backdoor to the cluster, which allows its operators to perform malicious activities like cryptojacking, etc.
“Siloscape shows us the importance of container security, as the malware wouldn’t be able to cause any significant damage if not for the container escape. It is critical that organizations keep a well-configured and secured cloud environment to protect against such threats,” the researcher said.