Kubernetes has immensely simplified cloud-native infrastructure for developers. It just takes a few lines of code and a Kubernetes command to serve the users. Kubernetes is popular because of the portability and faster, simpler deployment times. However, it comes with security considerations. Container security has always been in question for a lot of reasons. For Kubernetes, these security considerations are not because Kubernetes is insecure or risky but because of overlooked code and configuration. According to a Red Hat survey, 94% of the surveyed organizations experienced at least one security incident in the Kubernetes environment, and 55% of respondents observed delays in deploying Kubernetes applications due to security reasons.
The distributed, dynamic nature of the Kubernetes cluster makes Kubernetes security super important throughout the container lifecycle. Each phase of the application lifecycle, including build, deploy, and runtime, demands different security approaches. Kubernetes has inherent security advantages; however, the ever-changing runtime environment can pose security challenges.
In March 2021, Daniel Prizmant, Principal Security Researcher at Palo Alto Networks, spotted Siloscape. The name comes from the habit of trying to escape the silo. Siloscape is the first-recorded malware to target Windows containers and exhibits a potential risk to poorly configured enterprise clouds. Prizmant stated that – Siloscape targets Kubernetes clusters through Windows containers opening a backdoor into poorly configured Kubernetes clusters to run malicious containers. It allows attackers to steal user credentials and data or even hijack entire databases hosted in the cluster. It uses the Tor proxy and an. onion domain to anonymously connect to its command and control (C2) server. He gained access to this server and found 23 active victims of Siloscape.
Calamitous front of Siloscape
A compromised container is one thing. The aftereffects can be minimized if the container is contained at the right time. An entire cluster compromised is a major concern, as a cluster can run multiple cloud applications. It can affect the overall software and application environments in no time.
Siloscape mainly targets Windows containers and opens up a backdoor to a Kubernetes cluster, allowing an attacker to run any code, anywhere in the victim's cluster. The attack could be of any type such as cryptojacking (by using cloud computing power), data exfiltration (by stealing data within the cluster), ransomware (by locking/encrypting the cluster), and distributed Denial of Service (DDoS) (by using cloud computing power as part of a botnet). Even if a single container shuts down, the attacker will still have control allowing him to create new containers, shut down others, or execute code in existing containers. In short, Siloscape may cause havoc in a Windows cloud environment by compromising a Kubernetes cluster.
Prizmant, after analyzing the C2 server, found that the malware is just a tiny part of a more extensive network that was still ongoing at the time of the report, and this campaign has been taking place for over a year. The attack chain most commonly targets web servers for initial access, uses Windows container escape techniques to escape the container and gain access to code execution on the underlying node, and harms node's credentials to spread in the cluster.
How to protect against Siloscape
Restricting unauthorized access is vital for organizations. In the case of Siloscape, organizations need to review security configurations for their clusters and cloud environments. They need to have proper authorization and permission checks to allow access to any function. A systematic approach and security checks with container-aware endpoint security tools might boost the scans and reduce threats.
Maintaining proper container hygiene might save you from a huge fiasco, especially Kubernetes hygiene for Siloscape and related malware. Kubernetes provides well-written and comprehensive documentation on how to configure, manage, and secure clusters. Kubernetes is a great way to level-up applications and services, but the proper configuration of the Kubernetes cluster cannot be neglected.
Running any code in Windows Server Containers is considered as dangerous as running admin on the host. Escaping these containers is easy, and awareness is required to run these containers. Talking about Windows containers, there are two container types available of Windows Server 2022 viz., Windows Server Containers and Hyper-V Containers. According to the two solutions proposed by Microsoft to run Windows-based containers, it is recommended to run each container inside a Virtual Machine (VM) based on Hyper-V technology. Moreover, the second solution is more like a traditional Linux implementation for containers.
To exceed the needs of different networking configurations, Windows Server Containers and Hyper-V containers offer various networking modes, with each one presenting its own performance characteristics. Users must follow Microsoft's guidance that strictly recommends running Hyper-V containers instead of Windows Server Containers. If you are currently running any applications in Windows Server Containers that need to be secured, moving those applications to Hyper-V containers is recommended.
Siloscape doesn't restrict itself to any particular goal, unlike most Cloud malware that focuses on resource hijacking and Denial of Service (DoS). Siloscape opens a backdoor to all kinds of malicious activities. This makes it crucial for administrators to securely configure their Kubernetes cluster. Siloscape has again highlighted the most talked about part of containers, security. Organizations must maintain a well-configured and secure cloud environment to protect against such threats. Our ContainerOps experts can help you bolster your container security initiatives. Get in touch to know more about securing your Kubernetes cluster against Siloscape and any such threats.