New malware tries to invade cloud environments via Windows containers

A new breed of malware specifically targets Windows containers to gain access to Kubernetes clusters of cloud environments. It is the first malware of its kind to specifically target Windows containers.

The malware, which the researchers call Siloscape, is unique in its kind, according to the researchers, because most other malware targeting cloud environments focuses on Linux. The malware was discovered in March by researchers from company Palo Alto Networks.

In a blog post, the researchers write that the malware searches for poorly configured Kubernetes clusters via Windows containers, and then opens a backdoor in the cluster to run an infected container. The malware uses known vulnerabilities in cloud apps and web servers to gain access, then tries to escape through the Windows container.

Once the attackers are inside and the malware has escaped, the malware performs remote code execution through the backdoor on the cluster’s underlying nodes. Siloscape does everything it can to remain undetected, for example by connecting anonymously via a tor proxy and a .onion domain to the command-and-control server of the malware, from which the attackers can steal data and can send commands to the malware.

According to Palo Alto Networks, the malware has managed to successfully access a cloud environment at least 23 times. The researchers gained access to the malware’s command-and-control server with a total of 313 users. As a result, the researchers believe that Siloscape is only a small part of a large-scale malware attack. That attack has been going on for at least a year.

Initially, after reporting by the researchers, Microsoft did not see how the malware was a vulnerability in Windows Server, where the containers run. That is why the researchers contacted Google, as the owner of Kuberneters. After “back and forth between Google and Microsoft,” Microsoft did assess the malware as a vulnerability, under CVE-2021-24096.