What you need to know
- A malware that targets Windows containers was discovered in March 2021.
- The man who found it, Daniel Prizmant, dubbed it "Siloscape."
- Siloscape aims to steal data and inject cryptocurrency miners.
Unit 42's Daniel Prizmant says he's discovered "the first known malware targeting Windows containers." Unit 42 is the cybersecurity consulting group for Palo Alto Networks that has announced its discovery of Siloscape and disclosed the dangers the malware has for cloud environments as we know them. Though the group has seen malware that goes after containers in Linux "due to the popularity of that operating system in cloud environments," it gives Siloscape the distinction of being the first to go after Windows containers.
"Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers," Prizmant said in his highly technical blog post outlining Siloscape and the threat it poses. "Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers."
Compromising entire clusters means that Siloscape can allow its hacker to cause a lot more trouble than had they just gotten access to a single container by itself. With access to a cluster, a hacker can get a hold of a lot more info, be it usernames, login credentials, or entire databases. Whatever's hosted in the cluster and the apps it's running, Siloscape may exfiltrate.
- Microsoft flags macOS bug — remotely bypassing Apple's sophisticated System Integrity Protection (SIP) security solution and allowing unauthorized third-party rootkit installs
- Microsoft blocks critical Secure Boot loophole after over 7 months — fortifying Windows 11 against sophisticated firmware attacks camouflaged as verified UEFI apps
Exfiltration of stolen data isn't the only activity Siloscape is built for. It can also inject cryptojackers to divert computational resources toward crypto mining activities.
"We identified 23 active Siloscape victims and discovered that the server was being used to host 313 users in total, implying that Siloscape was a small part of a broader campaign," Prizmant stated in his post. "I also discovered that this campaign has been taking place for more than a year."
The post recommends that users take Microsoft's advice on not using Windows containers for security purposes, recommending Hyper-V containers instead. If you want the full scoop on Siloscape, check out the blog post linked above. The key takeaway here is to know that the era of mainstream cloud hacking is upon us.
