Siloscape malware escapes Windows containers to backdoor Kubernetes clusters

Credit: Dreamstime

Malware attacks against cloud containers are nothing new, but these attacks have primarily focused on Linux deployments because they are the most common and where containers were born.

Now, attackers are targeting Docker deployments on Windows, and researchers have found a new malware program designed to escape from Windows Server Containers and infect Kubernetes clusters.

Dubbed Siloscape, the malware program is heavily obfuscated, uses a little-known Windows container escape technique and uses Tor for command-and-control communication. Its goal is to gain access to Kubernetes nodes and clusters and wait for further commands from attackers.

Docker and Windows Server containers

Docker and Kubernetes are the main technologies for deploying containerised applications on cloud infrastructure. They are also directly responsible for the popularity of the microservice architecture in modern software development, where software is broken down into loosely coupled services running independently in their own secure containers.

Docker is the technology used to set up containers and is based on the kernel-based virtualisation features built into the Linux kernel, while Kubernetes is the platform used to manage those containers and the applications running in them across multiple hosts (nodes) grouped into networks (clusters).

As the two platforms gained massive popularity for software development and deployment, Microsoft wanted Docker and Kubernetes to be able to run on Windows Server as well, but the Windows kernel lacked some of the process and filesystem isolation features that allowed containers to share the same kernel on Linux.

The company developed some of those features and integrated them for the first time in Windows Server 2016, enabling a feature called Windows containers. This supports two modes of isolation: process isolation, which is similar to how Linux containers work where all containers share the host OS kernel, and Hyper-V isolation, which uses Microsoft’s Hyper-V hypervisor to set up lightweight virtual machines meaning each container has its own kernel.

Hyper-V-based containers offer better isolation, but they have a higher cost on hardware resources since each container is essentially a full-blown virtual machine and not just a kernel-enforced security boundary. That’s why containers on Windows Server default to the process isolation mode—also known as silo containers—and users who run Docker on Windows Server, possibly coupled with the Azure Kubernetes Service (AKS) for management, are likely to use them.

What is the Siloscape malware?

Similar Posts