Threat Update
A new malware first discovered in March dubbed ‘Siloscape’ is actively targeting Kubernetes clusters via Windows containers. This malware has the potential to compromise an entire Kubernetes cluster. SKOUT recommends ensuring all clusters are updated with the latest security patches.
Technical Detail & Additional Information
WHAT IS THE THREAT?
‘Siloscape’ has been targeting poorly configured Kubernetes clusters for roughly a year by exploiting a privilege escalation vulnerability (CVE-2021-24096) within Windows Server containers (utilizing Server Containers not Hyper-V). The Siloscape malware is a highly obfuscated piece of malware that focuses on setting up a backdoor and running malicious containers on misconfigured Kubernetes clusters by utilizing known vulnerabilities. The malware can be characterized by the following actions: targeting common cloud applications for initial access, utilizing Windows container escape techniques, abusing the infected node to spread to the cluster and connecting to a C2 server using the IRC protocol over the Tor network. When these actions/steps have completed, the malware will wait for further commands.
WHY IS IT NOTEWORTHY?
This highly sophisticated malware is extremely well obfuscated and is actively exploiting victims in the wild. The code of the malware nearly no readable strings throughout the entire binary and only de-obfuscates functions and modules at runtime. A very important attribute of Siloscape is that is believed to utilize new keys for each connection to the C2, which are hardcoded into the binary. This means that each instance of the malware has a different C2 key and thus a different hash value, making it very difficult to detect the malware by only the hash value. Once the malware has gained access to a system, it has the ability to exfiltrate data from any application running within the exploited cluster.
WHAT IS THE EXPOSURE OR RISK?
Anyone who is utilizing Kubernetes clusters in conjunction with Windows Containers is potentially vulnerable to this malware. While the initial access vector may change depending on the threat surface, it is important to understand what systems, servers, applications, and operating systems are vulnerable to exploitation.
WHAT ARE THE RECOMMENDATIONS?
Current recommendations for hardening your systems against this malware are:
- Ensure Windows Containers only have the necessary level of permissions needed for functionality. (Assume any application running in a Windows Server container has the same level permissions of the host admin).
- Move any applications which need to be secure to a Hyper-V container. Hyper-V containers are much more secure than Windows Server containers and are reliable for containerization as a security boundary. SKOUT recommends using Hyper-V containers for any containerization due to this reason.
- Ensure Kubernetes clusters are securely configured. A properly secures cluster will not have the proper permissions needed for Siloscape to create new deployments.
- Ensure the security configurations for any cloud-based environment as more and more threats are emerging for cloud-based solutions.
- Ensure the latest security patches are installed for hosts and applications within the cluster.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://unit42.paloaltonetworks.com/siloscape/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24096
- https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/
If you have any questions, please contact our Security Operations Center.