Security News > 2021 > June > New Kubernetes malware backdoors clusters via Windows containers
New malware active for more than a year is compromising Windows containers to compromise Kubernetes clusters with the end goal of backdooring them and paving the way for attackers to abuse them in other malicious activities.
It organizes app containers into pods, nodes, and clusters, with multiple nodes forming clusters managed by a master which coordinates cluster-related tasks such as scaling or updating apps.
The malware, dubbed Siloscape by Unit 42 security researcher Daniel Prizmant and the first one to target Windows containers, exploits known vulnerabilities impacting web servers and databases with the end goal of compromising and backdooring Kubernetes clusters.
"Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers," Prizmant said in a report published today.
Compromised nodes are then probed for credentials that allow the malware to spread to other nodes in the Kubernetes cluster.
Kubernetes admins are advised to switch from Windows containers to Hyper-V containers and ensure that their cluster is securely configured to prevent malware like Siloscape from deploying new malicious containers.
News URL
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)