HomesecurityHow does the new Siloscape malware infringe on "Kubernetes clusters"?

How does the new Siloscape malware violate the "Kubernetes clusters"?

A new malware that has been active for more than a year and is called Siloscape compromises Windows containers to breach Kubernetes clusters with the ultimate goal of opening their backdoor and paving the way for attackers to abuse them in other malicious activities .

Kubernetes malware

See also: BlackCocaine ransomware: The new malware in the threat landscape

Originally developed by Google and currently maintained by the Cloud Native Computing Foundation, Kubernetes is an open source system for automating the development, scaling, and management of containerized applications.

Organizes app containers into pods, nodes, and clusters, with multiple nodes forming clusters managed by a master who coordinates cluster-related tasks, such as scaling or updating applications.

See also: DoJ USA: Blames Latvia for developing Trickbot malware

Malware, named Siloscape by security researcher Daniel Prizmant, initially targets Windows containers, and is well known. vulnerabilities affecting them web servers and databases with the ultimate goal of violating Kubernetes nodes and "backdooring clusters".

Once compromised web servers, Siloscape uses various container-escape tactics to succeed code execution in the underlying Kubernetes node.

The compromised nodes are then investigated for credentials that allow the malware to spread to other nodes in the Kubernetes cluster.

Siloscape Kubernetes

In the final stage of the infection, the malware creates communication channels with the command-and-control (C2) server via IRC via the anonymous communication network Tor and "listens" to incoming commands from the master.

After gaining access to the malware's C2 server, Prizmant was able to identify 23 active victims and found that the server was hosting a total of 313 users, implying that Siloscape is only a small part of a much larger campaign.

See also: SkinnyBoy: The new malware used by the Russian APT28 to breach organisms

Exposes victims to ransomware, supply chain attacks

While most malware that targets cloud environments focuses on cryptojacking and the abuse of infected systems to launch attacks DDoS, Siloscape is something completely different.

First of all, it makes every effort to avoid detection, avoiding any action that could alert the owners of the violated clusters to the attack, including cryptojacking.

Its aim is to backdooring the Kubernetes clusters, which pave the way for operators to abuse the breached infrastructure in cloud for a wider range of malware, such as theft of credentials, data exfiltration, ransomware attacks and even extremely destructive supply chain attacks.

Source of information:

Teo Ehc
Be the limited edition.