“This malware can leverage the computing resources in a Kubernetes cluster for cryptojacking and potentially exfiltrate sensitive data from hundreds of applications running in the compromised clusters,” Prizmant said.
Typically, an attack starts with the malware operators abusing a known vulnerability to gain remote code execution inside a Windows container, which is then used to run Siloscape. Next, the malware escapes the container to compromise the host, checks if the host has privileges to create new Kubernetes deployments, and connects to the C&C server using Tor.
To escape the container, the malware impersonates CExecSvc.exe and then creates a symbolic link to its local containerized X drive to the host’s C drive. Next, it searches for specific Kubernetes files and makes sure it can execute kubectl commands.
The main focus of the malware is to remain undetected on the compromised environment. Unlike other container-targeting malware that were designed for resource hijacking and denial of service (DoS), it opens a backdoor into the cluster, which allows its operators to perform all kinds of malicious activities.
Given that Siloscape targets Windows Server containers, administrators should make sure their cloud environments are properly secured and configured. Thus, Hyper-V containers should be employed for operations that rely on containerization as a security boundary, and Kubernetes clusters should be securely configured.
