New Kubernetes Malware Backdoors Windows Containers
The Malware’s End Goal Is to Backdoor the Windows Containers and Prepare Them for Attackers to Abuse Them in Other Malicious Activities.
Kubernetes was initially developed by Google and is at the moment maintained by the Cloud Native Computing Foundation.
Kubernetes is an open-source system meant to help automate the deployment, scaling, and management of containerized workloads, services, and apps over clusters of hosts, by organizing app containers into pods, nodes (physical or virtual machines), and clusters, with nodes forming clusters managed by a master which coordinates cluster-related tasks such as scaling or updating apps.
The malware was dubbed as Siloscape by the security researcher Daniel Prizmant and it seems to be the first one to target Windows containers, exploits, known vulnerabilities impacting web servers and databases with the end goal of compromising Kubernetes nodes and backdooring clusters.
Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.
Unit 42 researchers have previously only seen malware targeting containers in Linux due to the popularity of that operating system in cloud environments.
Siloscape works by compromising the web servers and then using various container escape tactics to achieve code execution on the underlying Kubernetes node.
The compromised nodes are probed for credentials allowing for the malware to spread to other nodes in the Kubernetes cluster, in order to establish communication in the stage of the infection with its command-and-control (C2) server via IRC over the Tor anonymous communication network and therefore listen for incoming commands from its masters.
After gaining access to the malware’s C2 server, Prizmant managed to identify 23 active victims and also found that the server was hosting 313 users in total, this possibly being an indicator that Siloscape is just a small part of a much wider campaign.
Investigating the C2 server showed that this malware is just a small part of a larger network and that this campaign has been taking place for over a year.
Furthermore, I confirmed that this specific part of the campaign was online with active victims at the time of writing.
Most malware that are targeting cloud environments focus on secretly mining for cryptocurrency on infected devices and on abusing the infected systems for launching DDoS attacks, Siloscape has a different agenda.
Siloscape does its best to evade detection, so it avoids any actions that could alert the compromised clusters’ owners to the attack, including cryptojacking.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Its only goal seems to be to backdoor the Kubernetes clusters, in this way being able to open the way for its operators to abuse the compromised cloud infrastructure for a broader range of malicious pursuits, like credential theft, data exfiltration, ransomware attacks, or even supply chain attacks.
Compromising an entire cluster is much more severe than compromising an individual container, as a cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application.
The Kubernetes admins should switch from Windows containers to Hyper-V containers in order to ensure that their cluster is securely configured to prevent any malware like Siloscape from deploying new malicious containers.