In the latest developments, a new Siloscape malware architectured to exploit Windows containers to scope Kubernetes clusters has been newly detected by security researchers.
Malicious Siloscape malware threat to Windows containers, Kubernetes clusters:
According to Palo Alto Networks’ Unit 42, the malware, named Siloscape, was primarily detected in March. What makes the malware unusual is that opposed to typical malware that target containers, Siloscape aims at the Linux OS for its widespread cloud applications and environments.
Posted in a fresh blog, the researchers attribute the name Siloscape to the Kubernetes targeting malware for its general focus to escape Windows containers by means of a server silo.
How does the Siloscape attack vector work:
It was provided by the security researchers that the Siloscape malware employs Tor proxy and a .onion domain with the goal to connect with its command-and-control(C2) server. Siloscape specifically targets Windows containers using Server as opposed to Hyper-V isolation.
Subsequent attacks are then deployed by exploiting unpatched, recognized vulnerabilities to obtain access to servers, web pages, or databases.
Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges.
“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” provide the Unit 42 researchers. “More specifically, it links its local containerized X drive to the host’s C drive.”
Once the malware escapes, a provision to create malicious containers, exfiltrate data from applications of compromised Kubernetes clusters is carried out.
Other mal-activities also include loading cryptocurrency miners to abuse the compromised systems means, thereby furtively mine for cryptocurrency as long as the activities go undetected.
“The hardcoded key makes each binary a little bit different than the rest, which is why we couldn’t find its hash anywhere,” state the researchers. “It also makes it impossible to detect Siloscape by hash alone.”
Victims and preventive measures of Siloscape:
The research was successfully able to identify 23 active victims of the malware, while a total of 313 victims were also detected in the research.
Microsoft is of the opinion that Hyper-V containers are deployed if containerization is utilized for security boundaries rather as opposed to relying on standard Windows containers. Unit 42 also recommends that Kubernetes clusters be configured properly and should not permit node privileges alone to be enough to generate fresh deployments.