Siloscape malware targets Windows containers to access Kubernetes clusters

The malware's aim is to open a backdoor into Kubernetes clusters to run malicious containers

A security researcher has revealed details of the first known malware targeting Windows containers, with an aim to compromise Kubernetes clusters.

The malware, dubbed Siloscape, is heavily obfuscated, says its discoverer Daniel Prizmant, a researcher for Unit 42.

Siloscape appears to have been active for more than a year, its main purpose being to "open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers".

Kubernetes, also known as K8x, is an open-source system that helps enterprises to automate the deployment, scaling and management of containerised applications. Although initially developed by Google, it is now maintained by the Cloud Native Computing Foundation. Many businesses use the system to support their cloud-native applications.

"Unlike most cloud malware, which mostly focuses on resource hijacking and denial of service (DoS), Siloscape doesn't limit itself to any specific goal," Prizmant said.

"Instead, it opens a backdoor to all kinds of malicious activities."

Prizmant gained access to the Siloscape operators' command and control (C2) servers, despite their use of an .onion domain and Tor proxy to connect. The operators spotted him in just two minutes and kicked him off of the server, but not before he had extracted valuable details on the campaign.

Prizmant found that the malware initially targets "common cloud applications such as web servers for initial access, using known vulnerabilities," before using Windows container escape techniques to leave the container and achieve remote code execution on the underlying node.

The malware then tries to abuse the node's credentials to move further in the cluster and to connect with its C2 server, using the IRC protocol over the Tor network.

It also attempts to load up cryptocurrency miners to covertly mine for cryptocurrency, as long as its activities go undetected.

The researcher found 313 individual machines connecting to the C2 server, although he could verify only 23 active Siloscape victims.

Prizmant said the discovery of a malware targeting Windows containers was expected, given the increase in cloud adoption in the past few years.

"The attacker might be able to steal critical information such as usernames and passwords, an organisation's confidential and internal files or even entire databases hosted in the cluster. Such an attack could even be leveraged as a ransomware attack by taking the organisation's files hostage," said Prizmant.

He is advising users to follow Microsoft's guidance, which recommends against using Windows containers as a security feature.

Microsoft has also advised users to use Hyper-V containers for anything that relies on containerisation as a security boundary.

"Any process running in Windows Server containers should be assumed to have the same privileges as admin on the host," Prizmant said.

The new findings come nearly three months after Unit 42 Team said they had found a new strain of Hildegard malware targeting Kubernetes clusters, as part of a sophisticated campaign from the TeamTNT cyber gang.

The researchers said the particular strain of Hildegard they found had several new features that made it more persistent and covert compared to older versions. It was capable of encrypting its payload inside a binary, and could easily conceal its activity behind a genuine Linux kernel process. The researchers also observed it establishing connections with the C2 server using either a tmate reverse shell or an IRC channel.