New Kubernetes Malware Backdoors Clusters via Windows Containers

windows containers

A malware strain has been at large for over a year, which was observed to compromise Kubernetes Clusters clearing the way for a backdoor, giving the attacker persistent access.

Kubernetes was originally developed by Google and is currently maintained by the Cloud Native Computing Foundation. It is an open-source system that helps automate the deployment, management and scaling of containerized applications and services over “clusters” of hosts.

The malware known as “Siloscope” is the first known strain of malware to target windows containers. It also exploits known vulnerabilities impacting web servers and databases.

Once it compromises the web servers, Siloscape uses various container escape tactics to achieve code execution on the underlying Kubernetes node. Compromised nodes are then probed for credentials that allow the malware to spread to other nodes in the Kubernetes cluster.

The impact:

Victims of this malware will likely have their Kubernetes clusters backdoored, allowing the attacker to gain continued access, effectively compromising the whole cluster and putting others at risk of exploitation as well.

In addition, this malware also exposes victims to Ransomware as well as supply chain attacks. This means that services provided via a compromised Kubernetes cluster can infect a clients systems as well.

The remediation:

Kubernetes admins are advised to switch from Windows containers to Hyper-V containers and ensure that their cluster is configured with the necessary controls to prevent malware like Siloscape from deploying new malicious containers.

Indicators of compromise (IOCs) and further technical details on the Siloscape malware are available in Prizmant’s report.

Source: Bleeping Computer

Risk Crew