Security News > 2021 > June > Siloscape malware targets Windows containers, breaks through to the underlying Kubernetes cluster
A reverse engineer has discovered what is claimed to be "The first known malware targeting Windows containers to compromise cloud environments," a sentence to put any system administrator on edge.
Building on work published in December of last year on reverse-engineering Windows containers, security researcher Daniel Prizmant's latest discovery - made during his day job at Palo Alto Networks' Unit 42 security arm - looks to punch holes in Kubernetes clusters, and has apparently succeeded in doing so across at least 23 known targets.
"Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers," Prizmant wrote of the malware, which he first discovered in the wild in March.
"Compromising an entire cluster is much more severe than compromising an individual container," Prizmant explained in his report, "As a cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application. For example, the attacker might be able to steal critical information such as usernames and passwords, an organization's confidential and internal files or even entire databases hosted in the cluster."
"A few weeks after that discussion, I reported the issue to Google because Kubernetes is vulnerable to those issues. Google contacted Microsoft, and after some back and forth, it was determined by Microsoft that an escape from a Windows container to the host, when executed without administrator permissions inside the container, will in fact be considered a vulnerability."
"Furthermore, administrators should make sure their Kubernetes cluster is securely configured. In particular, a secured Kubernetes cluster won't be as vulnerable to this specific malware as the nodes' privileges won't suffice to create new deployments. In this case, Siloscape will exit."
News URL
https://go.theregister.com/feed/www.theregister.com/2021/06/08/siloscape_malware_windows_containers/
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)