A new malware has been discovered that is active for more than a year and compromising Windows containers to target Kubernetes clusters. The malware is named Siloscape because of its end goal to plant a backdoor and make way for attackers to abuse Windows containers via server silos.
What has happened?
According to Unit 42 security researchers, Siloscape is one of the first malware to target Windows-based containers. In addition, it is found to be heavily obfuscated, making it challenging for security analysts to reverse its binary.
- Once it infects the web servers, it uses multiple container escape tactics to achieve code execution on the underlying Kubernetes node. Compromised nodes are probed for credentials.
- Probing for credentials allows the malware to spread to other nodes in the Kubernetes cluster. Moreover, it targets common cloud applications such as web servers for initial access.
- In the final stage, it establishes communication channels with its C2 server using IRC over the Tor anonymous communication network. It listens for incoming commands from its operators.
- After gaining access to the C2 server, researchers identified 23 active victims and a server hosting 313 users in total. This signifies that the malware is just a small part of a much larger campaign.
The severity of the attacks
Siloscape backdoors Kubernetes clusters, which could lead to further malicious activities such as credential theft, ransomware attacks, data exfiltration, and supply chain attacks.
- Additionally, it can compromise an entire cluster, which is more severe than compromising an individual container. Because a cluster runs several cloud applications whereas an individual container runs a single cloud application.
- Further, it does its best to evade detection by avoiding any action that could signal or notify its owners. It could stay low profile while performing actions such as cryptojacking.
Siloscape doesn’t limit itself to any particular goal, instead, it opens a backdoor for all kinds of malicious activity. Thus, Kubernetes admins are recommended to take extra care to ensure that their clusters are securely configured for better protection.