Cybersecurity researchers have shared information about a “first-of-its-kind” malware designed specifically to target Kubernetes clusters running atop Windows.
Researchers at Unit 42, the threat intelligence team at Palo Alto Networks, have named the malware Siloscape, since its main goal is to escape Windows containers.
“Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers,” said Unit 42, in its detailed analysis of the malware.
The researchers managed to access the malware’s command and control (C2) server, which revealed that it has managed to compromise about two dozen victims, which the malware is actively abusing.
Cloud malware isn’t new, especially given the rise of cloud computing. However, the Unit 42 researchers believe what makes Siloscape more dangerous than others is that it opens a backdoor that can be used for all kinds of malicious activities.
They argue that compromising an entire cluster is a lot more severe than compromising an individual container, since a cluster typically runs several cloud applications.
For example, ransomware authors could leverage Siloscape to take over all files hosted inside a cluster.
Furthermore, since many companies use Kubernetes clusters as their development and testing environments, the researchers warned that Siloscape could even be used to orchestrate supply chain campaigns.
“Siloscape shows us the importance of container security, as the malware wouldn’t be able to cause any significant damage if not for the container escape. It is critical that organizations keep a well-configured and secured cloud environment to protect against such threats,” the researchers conclude.