Security researchers have described a new form of malware that is targeting Microsoft Windows containers to breach Kubernetes clusters. Known as Siloscape, the malware seeks to compromise containers on the Linux platform.
Kubernetes clusters in Windows container work over Linux to help customers manage cloud services. Unit 42, the zero-day wing of Palo Alto Networks, says Siloscape was spotted by researchers in March.
It was given its name because it focuses on trying to compromise Windows containers and then escape through the server silo. Threat actors access the command-and-control (C2) server through a .onion domain.
On C2, attackers can manage Siloscape, including sending attack commands and extract data. `Threat actors are targeting vulnerabilities in Windows containers to access organization databases and servers.
Attack
If the malware is on a system, it shows as CloudMalware.exe. and attacks on a server through isolation. Once Siloscape has access it will start a remote code execution (RCE) on the node of the container, leveraging escape techniques for Windows containers. For example, it will try to impersonate CExecSvc.exe to get out of a container.
“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 points out. “More specifically, it links its local containerized X drive to the host's C drive.”
Not all attempts to escape are successful, but if the malware does get out of Windows containers, it will attempt to create new containers that will take app data by using malicious clusters. It can also load crypto miners to use system resources.
The creators of the malware have gone to great lengths to ensure the content is hard to find. It also uses two keys to decrypt the password used for the C2 server. Tracking the keys is nearly impossible because unique keys may be created for every attack.
“The hardcoded key makes each binary a little bit different than the rest, which is why I couldn't find its hash anywhere,” the researchers say. “It also makes it impossible to detect Siloscape by hash alone.”
Tip of the day: Windows 10s Power Throttling can net up to 11% more battery savings per charge with little negative impact. In some scenarios you might consider turning Power Throttling off for single apps that you want run with maximum performance. Our tutorial shows you various methods to manage Power Throttling.
