Security researchers have uncovered the first known Windows container malware, targeting Windows Server containers to infect Kubernetes clusters in cloud environments. The malware was named ‘Siloscape’ (silo escape) because its primary goal is to escape the container.
A researcher from Paloalto unit 42 Daniel Prizmant said, “Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.”
This post will cover some heads up on Windows container vulnerabilities, an overview of Siloscape, and recommendations & best practices to stay away from such Windows container malware.
What Are Containers?
Containers are a technology that allows applications to run in an isolated environment on the host machines. They are built on top of the host machine’s kernel. Although containers share the host machines’ kernel, they don’t get access to it. This feature of containers provides a lightweight, isolated environment that makes apps easier to develop, deploy, and manage without affecting other apps and services. This lightweight nature leverages better unitizations of system resources.
What Do We Know About This New Windows Container Malware: Siloscape?
Siloscape malware was first identified in March 2021 by Daniel Prizmant. Its main target is cloud applications like web servers. It is designed to gain access by exploiting the known vulnerabilities and opens a backdoor in order to run malicious containers inside the Kubernetes clusters. Its highly obfuscated code leverages Windows container escape techniques to escape the container and gain remote code execution access on the underlying node. This malware can also harvest computing resources in a Kubernetes cluster for cryptojacking and exfiltrate sensitive information from the compromised clusters.
Some common behaviors and characteristics of Siloscape malware:
- Targeting common cloud applications such as web servers to gain access by exploiting the known vulnerabilities.
- Uses Windows container escape techniques to break out the container and gain remote code execution on the underlying node.
- Abuse the node’s credentials to spread in the cluster.
- It uses the IRC protocol to connect its C2 server over the Tor network.
- Waits for further instructions from its author.
The Targets of Siloscape Windows Container Malware:
Research reveals that this malware is just a small part of a larger campaign, which has been taking place for over a year. Furthermore, the report also confirmed that this campaign was active at the time of writing this post.
The actual size of the victims is unknown. However, when the researcher examines one of the C2 servers, he found 23 active victims at that time, and the server was being used to host 313 users in total.
Attack Flow of Siloscape Windows Container Malware:
- The attacker exploits known vulnerabilities to achieve remote code execution (RCE) inside a Windows container.
- The attacker executes CloudMalware.exe and supplies necessary information which needs to establish communication with the C2 server.
- It impersonates ‘CExecSvc.exe’ service to obtain SeTcbPrivilege privileges and creates a global symbolic link to the host (C drive of the host’s).
- After that, it searches for the ‘kubectl.exe’ binary and the Kubernetes config file in the symbolic link (C drive of the host’s).
- Then it checks if the compromised node has enough privilege to create new Kubernetes deployments. Then it writes the Tor archive (ZIP) and an unzip binary to the host’s C drive from the main Siloscape binary.
- it fires up ‘tor.exe’ to a new thread and waits for it to finish by checking the Tor thread output.
- After Tor is up and running, It then connects to the C2 server (IRC server, using a .onion domain), which is hosted on the Tor network from where it receives the instructions in the forms of commands for further action.
Indicators of Compromise Captured During the Analysis of Siloscape Malware
|Our Siloscape variant||5B7A23676EE1953247A0364AC431B193E32C952CF17B205D36F800C270753FCB|
|unzip.exe, the unzip binary Siloscape writes to the disk||81046F943D26501561612A629D8BE95AF254BC161011BA8A62D25C34C16D6D2A|
|tor.zip, the tor archive Silsocape writes to the disk||010859BA20684AEABA986928A28E1AF219BAEBBF51B273FF47CB382987373DB7|
Tips for Detecting and Removing This New Windows Container Malware “Siloscape”
Follow these recommendations to get rid of this threat:
- Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.
- Check Firewall and Internet proxy logs for the given IOCs.
- Check if Tor is recently installed on any host on the network.
- Check for Tor traffic signature in NIDS and network Firewalls.
- Use any of the good Container security scanners for any detection.
- Migrate all Windows containers to Hyper-V containers until this issue sees a fix.
- For any suspected machines, immediately isolate the host and run these checks.
- Run an anti-virus product on the whole disk to check for any malware.
“Unlike most cloud malware, which mostly focuses on resource hijacking and denial of service (DoS), Siloscape doesn’t limit itself to any specific goal. Instead, it opens a backdoor to all kinds of malicious activities.”. Microsoft recommends not to use Windows containers as a security feature, instead use the Hyper-V containers for anything that relies on containerization as a security boundary. We suggest migrating all Windows containers to Hyper-V containers to get rid of this new Windows container malware.
Thanks for reading this post. We request to share this post with all who use Windows Containers in their daily lives and make them aware of this threat.