IT administrators with cloud resources are being warned new malware has been discovered targeting Windows containers
In a report issued Monday, researcher Daniel Prizmant of Palo Alto Networks’ Unit 42 threat intelligence division, dubbed the new threat Siloscape. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.
After accessing the malware’s command and control server, Palo Alto Networks identified 23 active Siloscape victims. It also discovered that the server was being used to host 313 users in total, implying that Siloscape was a small part of a broader campaign.
It concluded the campaign has been going on for more than a year.
Containers are a technology for packaging and running Windows and Linux applications across diverse environments on-premises and in the cloud. They provide a lightweight, isolated environment that makes apps easier to develop, deploy, and manage. Kubernetes is open-source software for deploying and managing containers at scale.
“Compromising an entire cluster is much more severe than compromising an individual container,” Prizmant wrote, “as a cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application. For example, the attacker might be able to steal critical information such as usernames and passwords, an organization’s confidential and internal files or even entire databases hosted in the cluster. Such an attack could even be leveraged as a ransomware attack, by taking hostage the organization’s files. Even worse, with organizations moving to the cloud, many use Kubernetes clusters as their development and testing environments, and a breach of such an environment can lead to devastating software supply chain attacks.”
Siloscape is heavily obfuscated malware targeting Kubernetes through Windows containers (using Server Containers and not Hyper-V), says the report.
The malware is characterized by several behaviours and techniques:
-
Targets common cloud applications such as web servers for initial access, using known vulnerabilities (“1-days”) – presumably those with a working exploit in the wild.
-
Uses Windows container escape techniques to escape the container and gain code execution on the underlying node.
-
Attempts to abuse the node’s credentials to spread in the cluster.
-
Connects to its C2 server using the IRC protocol over the Tor network.
-
Waits for further commands.
Typically an attacker achieves remote code execution (RCE) inside a Windows container using a known vulnerability or a vulnerable web page or database. Then the Siloscape malware is executed.
“Unlike most cloud malware, which mostly focuses on resource hijacking and denial of service (DoS), Siloscape doesn’t limit itself to any specific goal,” says the report. “Instead, it opens a backdoor to all kinds of malicious activities.”
Administrators should follow Microsoft’s guidance recommending Windows containers shouldn’t be used as a security feature. Microsoft recommends using strictly Hyper-V containers for anything that relies on containerization as a security boundary. Any process running in Windows Server containers should be assumed to have the same privileges as admin on the host, which in this case, is the Kubernetes node.
“If you are running applications in Windows Server containers that need to be secured, we recommend moving these applications to Hyper-V containers,” indicated the report.
Administrators should also make sure their Kubernetes cluster is securely configured. A secured Kubernetes cluster won’t be as vulnerable to this specific malware as the nodes’ privileges won’t suffice to create new deployments. In this case, Siloscape will exit.
“Siloscape shows us the importance of container security,” says the report, “as Siloscape wouldn’t be able to cause any significant damage if not for the container escape. It is critical that organizations keep a well-configured and secured cloud environment to protect against such threats.”