A newly identified piece of malware that targets Windows Server containers can execute code on the underlying node and then spread in the Kubernetes cluster, according to a warning from security researchers at Palo Alto Networks.
Dubbed Siloscape, the heavily obfuscated malware was designed to install a backdoor into Kubernetes clusters, which can then be used to run malicious containers and perform various other nefarious activities.
As part of the observed attacks, which have been ongoing for more than a year, initial access is achieved through web servers and other cloud applications, container escape techniques are used to execute code on the underlying node, after which the node’s credentials are abused to spread in the cluster.
According to Palo Alto Networks researcher Daniel Prizmant, Siloscape has snagged at least 23 victims to date, but the malware is believed to be part of a larger campaign. After gaining access to the malware’s command and control server, the researcher discovered that it was hosting a total of 313 users.
[Related: Google Releases Open Source Tool for Verifying Containers ]
“This malware can leverage the computing resources in a Kubernetes cluster for cryptojacking and potentially exfiltrate sensitive data from hundreds of applications running in the compromised clusters,” Prizmant said.
Typically, an attack starts with the malware operators abusing a known vulnerability to gain remote code execution inside a Windows container, which is then used to run Siloscape. Next, the malware escapes the container to compromise the host, checks if the host has privileges to create new Kubernetes deployments, and connects to the C&C server using Tor.
To escape the container, the malware impersonat ..
Support the originator by clicking the read the rest link below.
