A new brand of malware designed to compromise Windows containers to reach Kubernetes clusters has been revealed by researchers.
The malware, dubbed Siloscape, is considered unusual because malware typically designed to target containers focuses on Linux as a popular operating system for managing applications and cloud environments.
According to Palo Alto Networks Unit 42, Siloscape, first discovered in March of this year, was named because its overall goal is to escape Windows containers through a server silo.
In a blog post published Monday, cybersecurity researchers said Siloscape uses the Tor proxy and a .onion domain to connect to its Command and Control (C2) server, which malicious actors use to manage their malware. , data exfiltration and to send commands.
The malware, labeled CloudMalware.exe, targets Windows containers – using Server isolation rather than Hyper-V – and will launch attacks using known vulnerabilities that have not been patched for initial access to servers, web pages or data base.
Siloscape will then attempt to perform Remote Code Execution (RCE) on the underlying node of a container using various Windows container escape techniques, such as impersonating CExecSvc.exe, a container image service, to gain SeTcbPrivilege privileges.
“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread, then calls NtSetInformationSymbolicLink on a newly created symbolic link to exit the container,” explains Unit 42. “Specifically, it links its local containerized X drive. to the host’s C drive. ”
If the malware is able to escape, then it will try to create malicious containers, steal data from applications running in compromised clusters, or charge cryptocurrency miners to exploit system resources. in order to secretly mine cryptocurrency and earn its operators profits for as long as the activities go undetected.
The malware developers have ensured that a significant obfuscation is in place – to the point where functions and module names are only unobscured at runtime – to disguise themselves and make reverse engineering more difficult. Additionally, the malware uses a key pair to decrypt the C2 server password, keys that are suspected of being generated for every single attack.
“The hard-coded key makes each binary a little different from the others, which is why I couldn’t find its hash anywhere,” the research says. “It also makes it impossible to detect Siloscape by hash alone.”
Unit 42 was successful in gaining access to C2 and identified a total of 23 active victims, as well as 313 victims in total, likely secured during last year’s campaigns. However, it was only a few minutes before the presence of the Researchers was noted and they were kicked from the server and the service was rendered inactive – at least, at that .onion address.
Microsoft recommends that Hyper-V containers be deployed if containerization is used as a form of security boundary rather than relying on standard Windows containers. Unit 42 added that Kubernetes clusters must be configured correctly and must not allow node privileges alone to be sufficient to create new deployments.
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0