Windows containers have been victimized for over a year by the first known malware to target Windows containers. The ongoing campaign pierces Kubernetes clusters so as to plant backdoors, allowing attackers to steal data and user credentials, or even hijack an entire databases hosted in a cluster
The malware was discovered by Unit 42 security researcher Daniel Prizmant. He dubbed it Siloscape, which he pronounces âSilo escape.â The malware pries open known vulnerabilities in web servers and databases so as to compromise Kubernetes nodes and to backdoor clusters.
In a post published on Monday, Prizmant wrote that Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers, with the main purpose of opening âa backdoor into poorly configured Kubernetes clusters in order to run malicious containers.â
In a separate post, Unit 42 researchers Ariel Zelivansky and Matthew Chiodi compared containers to those used to package different materials together on cargo ships. Theyâre an easy way to run applications in the cloud, in that they pack different materials together for greater efficiency, allowing development teams to move fast and operate âat almost any scale.â
Running an application in a container this way is referred to as containerization, and like other remote ways to work, itâs picked up steam due to COVID-19. âWeâve seen more and more organizations using containers in the cloud in recent years, especially since the COVID-19 pandemic caused many to seek to move faster and deploy cloud workloads more efficiently,â the researchers noted.
Components of Kubernetes. Source: Kubernetes
According to Zelivansky and Chiodi, this is the first time researchers have seen malware targeting Windows containers. The Linux operating system in cloud environments has been far more popular, they said.
Unit 42 researchers have identified 23 Siloscape victims and said that evidence points to the campaign having been launched over a year ago.
Prizmant determined the campaignâs start date â Jan. 12, 2020 â by gleaning the creation date of the server that itâs coming from. This doesnât necessarily mean that Siloscape was created on that date, he noted; rather, thatâs likely when the malware campaign started.
After particularly arduous reverse-engineering, Prizmant was able to connect to the Siloscape command-and-control (C2) server, where he discovered that it was hosting a total of 313 users. That implies that Siloscape is âa small part of a broader campaign,â he observed.
The malware starts by targeting known vulnerabilities â â1-daysâ â in common cloud applications, such as web servers. This initial access is presumably gained by using exploits found in the wild. Last year, Prizmant documented one such way to break Windows container boundaries. In a report published in 2020, he described what attackers could do if they escaped from a container.
He chose to focus on the current scenario: An escape from a Windows cluster node in Kubernetes that would allow an attacker to gain access outside the node and spread into the cluster.
Execution flow of Siloscape. Source: Unit 42
After it compromises web servers, Siloscape uses container escape tactics to achieve code execution on the Kubernetes node. Prizmant said that Siloscapeâs heavy use of obfuscation made it a chore to reverse-engineer. âThere are almost no readable strings in the entire binary. While the obfuscation logic itself isnât complicated, it made reversing this binary frustrating,â he explained.
The malware obfuscates functions and module names â including simple APIs â and only deobfuscates them at runtime. Instead of just calling the functions, Siloscape âmade the effort to use the Native API (NTAPI) version of the same function,â he said. âThe end result is malware that is very difficult to detect with static analysis tools and frustrating to reverse engineer.â
âSiloscape is being compiled uniquely for each new attack, using a unique pair of keys,â Prizmant continued. âThe hardcoded key makes each binary a little bit different than the rest, which explains why I couldnât find its hash anywhere. It also makes it impossible to detect Siloscape by hash alone.â
After Siloscape compromises nodes, the malware sniffs around for credentials that enable it to spread to other nodes in the Kubernetes cluster. Then, it reaches out to its C2 server via IRC â an old protocol â over the Tor anonymous communication network and sits idle, waiting for commands.
Prizmant adopted a username that he figured would look legitimate when he connected to the C2 server. Once he successfully connected, he found it was still working and that there were 23 âactive victimsâ, plus a channel operator named admin
.
But his presence didnât go undetected. After about 2 minutes, he was kicked out of the server. Two minutes after that, the server was shut down â at least, it was no longer active at the original onion
domain that he used to connect.
But that was just a slice of the entire campaign. He actually saw that in the #WindowsKubernetes channel he accessed there were far more than those 23 users. In fact there were a total of 313 users. He wouldnât be able to identify, contact or warn any of them, however.
âSadly, when I connected to the server, the channels list was empty, indicating that the server was configured to not reveal its channels,â Prizmant wrote. âTherefore, I couldnât get more information from the channel names.â
But the researcher did manage to glean an important detail. Namely, the convention used for the victimsâ names. Unit 42 researchers used the name âphp_35â, which its sample of Siloscape executed through a vulnerable php instance. Other names that included the string âsqlinjâ indicate that the attacker probably managed to achieve code execution via SQL injection.
In his July 2020 post, Prizmant said that his research suggested that ârunning any code in [Windows Server Containers] should be considered as dangerous as running admin on the host. These containers are not designed for sandboxing, and I found that escaping them is easy.â
This could enable an attacker to steal critical credentials, confidential and internal files, or even entire databases hosted in the cluster, he warned in Mondayâs post. It could even lead to a ransomware attack if attackers take an organizationâs files hostage. Even worse, he said, is the threat presented by organizationsâ mass move to the cloud. Given that many are using Kubernetes clusters to develop and test code, a breach âcan lead to devastating software supply chain attacks,â he said.
In Mondayâs post, he explained that compromising an entire cluster is much more severe than compromising an individual container, given that âa cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application.â
He noted that Siloscape isnât like most cloud malware, which typically focuses on resource hijacking for things like cryptomining and DoS. Siloscape, on the other hand, âdoesnât limit itself to any specific goal,â Prizmant said. âInstead, it opens a backdoor to all kinds of malicious activities.â
Supply-chain attacks similar to what Prizmant warned about have been linked to spyware installation, Operation SignSight, the compromise of Able Desktop, airline breaches, and the supply-chain whopper of them all: the SolarWinds breach of the U.S. government.
As far as other Kubernetes catastrophes go, a few recent headlines include an April 2021 security bug that allowed attackers to brick Kubernetes clusters: A vulnerability in one of the Go libraries that Kubernetes is based on that could lead to denial of service (DoS) for the CRI-O and Podman container engines. Earlier in April, an organized, self-propagating cryptomining campaign was uncovered that targeted misconfigured open Docker Daemon API ports. Thousands of container-compromise attempts were being observed every day related to the campaign.
Also in April, Microsoftâs cloud-container technology, Azure Functions, was found to harbor a weakness that allows attackers to directly write to files, researchers said. A few months earlier, in February 2021, a new malware was hjacking Kubernetes clusters to cryptomine Monero.
Another example of why cloud infrastructure needs strong security, a simple Docker container honeypot was used for four different criminal campaigns in the span of 24 hours, in a recent lab test.
Trevor Morgan, product manager with enterprise data security firm comforte AG, thinks that Siloscape is the kind of threat that can make organizations nervous about adopting cloud. âEnterprises adopt cloud native strategies because they want to accelerate their ability to innovate. Unfortunately, most organizations struggle with the right level of data security to avoid compromise with cloud native application architectures,â he told Threatpost via email on Monday.
âMalware like Siloscape complicates this endeavor by striking at the core of containerization and creates real hesitation on the part of cloud native development efforts, threatening to slow down these processes and defeat the very agility these organizations seek,â he pointed out. âMalware threats set up a false choice between being nimble and being cautious and secure with sensitive data.â
Morgan suggested that data-centric security such as tokenization, built specifically for cloud native applications, âcan help strike the right balance between these two,â by protecting the data itself rather than âthe layered, even amorphous borders surrounding cloud native application environments.
âOrganizations can be assured that data security does not impede speed and agility, because tokenized sensitive information even in containers cannot be compromised if it falls into the wrong hands,â he said. âOrganizations adopting cloud native strategies can have their data security while achieving agility too.â
Prizmant recommended that users follow Microsoftâs advice to not use Windows containers as a security feature. Instead, Microsoft recommends using strictly Hyper-V containers for anything that relies on containerization as a security boundary, he noted.â Any process running in Windows Server containers should be assumed to have the same privileges as admin on the host, which in this case is the Kubernetes node. If you are running applications in Windows Server containers that need to be secured, we recommend moving these applications to Hyper-V containers,â he said.
Secure configuration of Kubernetes clusters is also crucial. âA secured Kubernetes cluster wonât be as vulnerable to this specific malware as the nodesâ privileges wonât suffice to create new deployments. In this case, Siloscape will exit,â Prizmant said.
âSiloscape shows us the importance of container security, as the malware wouldnât be able to cause any significant damage if not for the container escape,â he wrote. âIt is critical that organizations keep a well-configured and secured cloud environment to protect against such threats.â
Download our exclusive FREE Threatpost Insider eBook,****â2021: The Evolution of Ransomware,â**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover whatâs next for ransomware and the related emerging risks. Get the whole story andDOWNLOAD** the eBook now â on us!**
media.threatpost.com/wp-content/uploads/sites/103/2021/06/07123256/Kubernetes-components-e1623083589461.png
media.threatpost.com/wp-content/uploads/sites/103/2021/06/07123538/Execution-flow-of-Siloscape.-Source-Unit-42-e1623083752331.jpeg
threatpost.com/azure-functions-privilege-escalation/165307/
threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART
threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART
threatpost.com/gaming-software-attack-spyware/163537/
threatpost.com/microsoft-solarwinds-azure-exchange-code/164104/
threatpost.com/new-malware-hijacks-kubernetes-clusters-to-mine-monero/163629/
threatpost.com/newsletter-sign/
threatpost.com/poorly-secured-docker-image-rapid-attack/154874/
threatpost.com/security-bug-brick-kubernetes-clusters/165413/
threatpost.com/self-propagating-malware-docker-ports/154453/
threatpost.com/supply-chain-cyberattack-airlines/164549/
threatpost.com/wp-statistics-attackers-data-wordpress/166386/
unit42.paloaltonetworks.com/siloscape/
unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/
www.paloaltonetworks.com/blog/2021/06/siloscape-malware-windows-containers/