A new malware that has been active for more than a year and is called Siloscape compromises Windows containers to breach Kubernetes clusters with the ultimate goal of opening their backdoor and paving the way for attackers to abuse them in other malicious activities .
Originally developed by Google and currently maintained by the Cloud Native Computing Foundation, Kubernetes is an open source system for automating the development, scaling, and management of containerized applications.
Organizes app containers into pods, nodes, and clusters, with multiple nodes forming clusters managed by a master who coordinates cluster-related tasks, such as scaling or updating applications.
Malware, named Siloscape by security researcher Daniel Prizmant, initially targets Windows containers, and is well known. vulnerabilities affecting them web servers and databases with the ultimate goal of violating Kubernetes nodes and "backdooring clusters".
Once compromised web servers, Siloscape uses various container-escape tactics to succeed code execution in the underlying Kubernetes node.
The compromised nodes are then investigated for credentials that allow the malware to spread to other nodes in the Kubernetes cluster.
In the final stage of the infection, the malware creates communication channels with the command-and-control (C2) server via IRC via the anonymous communication network Tor and "listens" to incoming commands from the master.
After gaining access to the malware's C2 server, Prizmant was able to identify 23 active victims and found that the server was hosting a total of 313 users, implying that Siloscape is only a small part of a much larger campaign.
Exposes victims to ransomware, supply chain attacks
First of all, it makes every effort to avoid detection, avoiding any action that could alert the owners of the violated clusters to the attack, including cryptojacking.
Its aim is to backdooring the Kubernetes clusters, which pave the way for operators to abuse the breached infrastructure in cloud for a wider range of malware, such as theft of credentials, data exfiltration, ransomware attacks and even extremely destructive supply chain attacks.
Source of information: bleepingcomputer.com