Researchers discovered the attacks in early March, but the attacks should have been at least a year old.
Security experts at Palo Alto Networks say they have discovered the first malware that targets and escapes Windows Server containers to infect victims’ Kubernetes cluster infrastructure.
The researchers said the attacks were discovered in early March, but the attacks should have been at least a year old.
Attackers have been scanning the Internet for common cloud applications such as web servers and deploying exploits for older vulnerabilities to gain a foothold on unpatched applications, the researchers said.
If the web app was running in a Windows Server container, the attacker would deploy malware called “Siloscape” to gain access to the underlying operating system through a previously documented Windows container escape technique. If the operating system was running as a Kubernetes node, the attackers extracted and collected the node’s credentials, which the researchers believe is to jump into the company’s internal Kubernetes infrastructure to deploy a new node with malicious capabilities.
Siloscape also downloaded and installed the Tor client to contact its command and control server and accept commands. The researcher stated that the C2 server was accessible, and at the time of this writing, the attacker appears to have infected more than 300 systems. However, as of now, researchers have not found any malicious activity by the attackers.
Daniel Prizmant, the company’s senior security researcher, pointed out, “Other malware that attacks containers is generally designed to hijack cryptocurrencies, but Siloscape does not actively perform any actions that damage the cluster, but focuses on being undetected and untraceable. , and open backdoors in the cluster.”
Palo Alto is warning businesses to take action to move applications from Windows containers to Microsoft’s new Hyper-V visualization technology, and even Microsoft is recommending the new technology over older, less secure containers mechanism.
Prizmant said that if the advice is not heeded, critical internal systems could be attacked. While the attacker is likely to profit from cryptocurrency mining, it is also able to rent out access to some large hacked businesses to other criminal groups, such as ransomware groups, for even greater profits.
Before an enterprise migrates from Windows Server containers to Hyper-V, systems should be deployed to detect Siloscape attacks. The Palo Alto Networks report mentions the IOCs attacked by Siloscape. Since Siloscape is not yet a large-scale campaign, some of the malware’s artifacts are currently difficult to trace, but some files were discovered and shared by the vx-uderground community earlier today.