Security News > 2021 > June > New Kubernetes malware backdoors clusters via Windows containers
New malware active for more than a year is compromising Windows containers to compromise Kubernetes clusters with the end goal of backdooring them and paving the way for attackers to abuse them in other malicious activities.
It organizes app containers into pods, nodes, and clusters, with multiple nodes forming clusters managed by a master which coordinates cluster-related tasks such as scaling or updating apps.
The malware, dubbed Siloscape by Unit 42 security researcher Daniel Prizmant and the first one to target Windows containers, exploits known vulnerabilities impacting web servers and databases with the end goal of compromising and backdooring Kubernetes clusters.
"Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers," Prizmant said in a report published today.
Compromised nodes are then probed for credentials that allow the malware to spread to other nodes in the Kubernetes cluster.
Kubernetes admins are advised to switch from Windows containers to Hyper-V containers and ensure that their cluster is securely configured to prevent malware like Siloscape from deploying new malicious containers.
News URL
Related news
- FBI wipes Chinese PlugX malware from thousands of Windows PCs in America (source)
- Don't want your Kubernetes Windows nodes hijacked? Patch this hole now (source)
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)