A newly identified, dubbed Siloscape by the threat researcher who first spotted it, appears to be the first-recorded malware to target and presents a potential risk to poorly configured enterprise clouds. Discovered by Daniel Prizmant of research unit in March 2021, Siloscape is an obfuscated malware that targets Windows containers and, from there, attempts to open a backdoor into poorly configured where it runs malicious containers.
Prizm said the emergence of malware targeting Windows containers was unsurprising given the surge inin the past few years. He named it Siloscape because its primary goal is to escape the container, which in Windows is implemented mainly by a server silo. He said compromising an entire Kubernetes cluster was much more damaging than a single container, as it can run multiple . In contrast, a single container would more usually run just one.
“The attacker might be able to steal critical information such as usernames and passwords, an organization’s confidential and internal files, or even entire databases hosted in the cluster. Such anby taking the organization’s files hostage,” said Prizmant in a newly published disclosure blog. “Even worse, with organizations , many use Kubernetes clusters as their development and testing environments, and a breach of such an environment can lead to devastating software supply chain attacks.”
The malware works thus: it first targetssuch as web servers and accesses them via known vulnerabilities, uses the Windows container escape technique to escape from there to gain code execution on the underlying node, then attempts to abuse the node’s credentials to spread further through the Kubernetes cluster. It then uses the and a .onion domain to connect to its (C2) server to receive further commands. In the of his research, Prizmant also gained access to this server, where he and the Unit 42 team found evidence of 23 active victims and found that the server was hosting a total of 313 users, which may imply Siloscape sits as just one element of a much broader, long-running campaign of cyberattacks.
Prizm first became wise to the techniques, tactics, and procedures (TTP) exploited by Siloscapewhen he presented a method for escaping from a Windows container node in Kubernetes in a research paper. At first, he said, was not a problem because Windows Server containers aren’t a security boundary. Ergo, each should be treated as though executed directly on the host. But Microsoft changed tack after taking the issue to and forth between the two. It said an escape from a Windows container to a Kubernetes cluster was indeed a vulnerability when executed without admin rights inside the container. From there, he said it was a short leap to the discovery of Siloscape.
Prizm reiterated that, unlike mosthijacking or denial of service (DoS), Siloscape should be considered especially dangerous because it is not limited to specific goals and can be used for many other kinds of attack. “As discussed in my , users should follow Microsoft’s guidance recommending not to use Windows containers as a security feature. Microsoft recommends using strictly Hyper-V containers for anything that relies on containerization as a security boundary,” he said.
“Any process running in Windows Server containers should be assumed to have the same privileges as admin on the host, which is the Kubernetes node. If you are running, we recommend moving these applications to Hyper-V containers. “Furthermore, administrators should make sure their configured. In particular, a secured Kubernetes cluster won’t be as vulnerable to this specific malware as the nodes’ privileges won’t suffice to create new deployments. In this case, Siloscape will exit,” he added. More in-depth technical information, including indicators of compromise (IoCs), .