14 DAY TRIAL // Cybersecurity researchers have discovered Siloscape, the first known malware that infects Kubernetes clusters in cloud environments by attacking Windows Server containers.
Daniel Prizmant, a cybersecurity researcher at Unit 42 notes "Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers".
Siloscape was first discovered in March 2021 and uses a number of techniques, including targeting common cloud applications such as web servers. It first gains a foothold through known vulnerabilities, then breaks out of the container's boundaries and gains remote code execution on the underlying node via Windows container escape techniques.
Prizmant explains that Siloscape breaks out of the container by impersonating the main thread of CExecSvc.exe and applying NtSetInformationSymbolicLink to a freshly established symbolic link. To do this, it mounts its local containerized X drive to the host's C disk.
Siloscape can steal crypto or sensitive information from Kubernetes applications
Following this access, the malware attempts to spread through the cluster by abusing the node's credentials before establishing an anonymous connection to its command-and-control (C2) server via a Tor proxy. Afterward, it issues further instructions, such as cryptojacking and even exfiltrating sensitive data from Kubernetes applications.
Unlike other container-targeting malware that is primarily focused on cryptojacking, Siloscape itself does no damage to the cluster. Instead, it focuses on going unnoticed and undetectable while gaining backdoor access to the cluster.
Unit 42 claimed to have discovered 23 active victims after gaining access to the C2 server, which had a total of 313 users. Based on the C2 server's start date, the campaign is reported to have begun around January 12, 2020. This means that the malware is just one small element of a broader campaign that began over a year ago.
Unlike other cloud malware that focuses on resource hijacking and denial of service (DoS), Siloscape does not have an explicit goal. Instead, it creates a backdoor for all kinds of nefarious behavior.
Administrators should ensure that the Kubernetes cluster is securely configured. Most importantly, a protected Kubernetes cluster is less susceptible to this malware because the permissions of the nodes are not sufficient to create new deployments. Siloscape will terminate in this case.
Siloscape demonstrates the need for container security by showing that the malware could not do more damage without the container outbreak.