According to researchers from Unit 42, Siloscape is a highly obfuscated malware that targets Kubernetes clusters through Windows containers, and its main objective is to open a back door on misconfigured Kubernetes clusters to run malicious containers such as, among others, cryptojackers.
Siloscape, first detected in March 2021, is characterized by several techniques, including targeting common cloud applications, such as web servers, to gain an initial foothold through known vulnerabilities, after which it exploits the Windows container escape techniques to escape the confines of the container and get remote code execution on the underlying node.
Compromising an entire cluster is much more serious than compromising an individual container, as a cluster could run multiple applications in the cloud, while an individual container generally runs a single application in the cloud. For example, the attacker could steal critical information such as usernames and passwords, confidential and internal files of an organization, or even entire databases hosted on the cluster. Such an attack could even be exploited as a ransomware attack by taking organization files hostage. Worse, with organizations moving to the cloud, many use Kubernetes clusters as development and test environments, and a breach of such an environment can lead to devastating attacks on the software supply chain.
Siloscape mimics the privileges of CExecSvc.exe by posing as its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to exit the container, with this privilege the malware tries to abuse the node’s credentials to spread across the cluster, before to anonymously establish a connection to your command and control (C2) server using a Tor proxy for further instructions, including leveraging computing.
After gaining access to the C2 server, Unit 42 said it found 23 active victims, with the server hosting a total of 313 users. The campaign is said to have started at least around January 12, 2020, based on the C2 server creation date, suggesting that the malware could be just a small part of a larger campaign that started more than a year ago.
Unlike most cloud malware, which primarily focuses on resource hijacking and denial of service (DoS), Siloscape is not limited to any specific target instead, it opens a back door to all kinds of malicious activities.
Also check:
Windows 10 vulnerabilities that have been highlighted
ZLoader – A Dangerous malware Distributor
[…] check:Siloscape is the first threat to attack Windows containersVovalex – Ransomware posing as Windows […]