Windows Container Malware Targets Kubernetes Clusters

“Siloscape”, the first malware to target Windows containers, breaks out of Kubernetes clusters to plant backdoors and raid nodes for credentials.

New malware that has been active for over a year has compromised Windows containers in order to further hack Kubernetes clusters and install backdoors in them with the aim of further malicious activity.

Originally developed by Google and now maintained by the Cloud Native Computing Foundation, Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized workloads, services, and applications across host clusters.

Kubernetes organizes application containers into blocks, nodes (physical or virtual machines), and clusters. Multi-node clusters in turn form clusters controlled by a wizard that coordinates cluster-related tasks such as scaling and updating applications.

Named Siloscape by Unit 42 researcher Daniel Prizmant, the malware is the first to attack Windows containers. The malware exploits known vulnerabilities in web servers and databases with the ultimate goal of compromising Kubernetes nodes and installing backdoors.

“Siloscape is a highly obfuscated malware that attacks Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor in poorly configured Kubernetes clusters in order to launch malicious containers, ” explained Prismant.

According to researchers Unit 42 Zelivanski Ariel (Ariel Zelivansky) and Matthew Chiodo (Matthew Chiodi), until recently their colleagues recorded malware, attacking only clusters on Linux, due to the prevalence of this platform in the cloud.

While most cloud malware is designed to mine cryptocurrencies or carry out DDoS attacks, Siloscape has a different purpose. Firstly, it bypasses detection much better, and secondly, its main task is to install a backdoor that opens the way for the use of compromised cloud infrastructure in order to carry out such malicious actions as theft of credentials, personal data, ransomware attacks, and even supply chain attacks.