Siloscape malware targets Windows containers in Kubernetes clusters

Researchers from Palo Alto Networks (PAN) have discovered what they say is the first known malware targeting Windows containers. The malware, named Siloscape, is designed to escape from a Windows container into the Kubernetes node so it can spread in the cluster. Attackers can use the malware to carry out a variety of malicious actions, such as credential and data theft, deploying ransomware, and breaching enterprise software development and testing environments.

The malware was discovered by Unit 42 security researcher Daniel Prizmant. He dubbed it Siloscape, which he pronounces “Silo escape.” The malware pries open known vulnerabilities in web servers and databases so as to compromise Kubernetes nodes and to backdoor clusters.

Prizmant said the emergence of a malware targeting Windows containers was unsurprising given the surge in cloud adoption in the past few years. He named it Siloscape because its primary goal is to escape the container, which in Windows is implemented mainly by a server silo. He said that compromising an entire Kubernetes cluster was much more damaging than a single container, as it can run multiple cloud apps, whereas a single container would more usually run just one.

What is Kubernetes

Kubernetes is an open-source system for automating the deployment, scaling and management of container applications, originally designed by Google and handed over to the Cloud Native Computing Foundation (CNCF)to run. Kubernetes aims to provide a “platform for automating the provisioning, scaling and maintenance of application containers on distributed hosts.” It supports a range of container tools, including Docker. Orchestration using Kubernetes is supported by leading cloud platforms such as Microsoft Azure, IBM Cloud, Red Hat OpenShift, Amazon’s EKS, Google’s Kubernetes Engine and Oracle’s OCI.

Attackers could use the backdoor to install malware for stealing internal data of the victim, including code, container images, and databases. Attackers could also leverage the access to create a ransomware attack by locking and encrypting the cluster, or they could modify the cluster to attack other victims. “If the cluster runs a Web server, the attacker could modify it and attack all its users by changing the server’s code,” Prizmant says.

PAN says its investigation of the C2 server showed at least 23 active Siloscape victims. The analysis also showed that the C2 server was being used to host over 300 users in total. The data suggests that Siloscape is only part of a broader campaign targeting enterprise cloud environments and that the campaign has been going on for more than a year, the security vendor says.

Prizmant says organizations that use Windows containers to run online applications, such as Web servers, are most at risk. He says a well-configured Kubernetes cluster that’s secure will make life much harder for Siloscape. That’s because even if the malware manages to escape the container, it wouldn’t be able to take control of the cluster.

Any process running in Windows Server containers should be assumed to have the same privileges as admin on the host, which in this case is the Kubernetes node. If you are running applications in Windows Server containers that need to be secured, we recommend moving these applications to Hyper-V containers.

“Furthermore, administrators should make sure their Kubernetes cluster is securely configured. In particular, a secured Kubernetes cluster won’t be as vulnerable to this specific malware as the nodes’ privileges won’t suffice to create new deployments. In this case, Siloscape will exit,” he added.