Tag Archive for: Kubernetes
Siloscape: this new malware targets Windows containers to access Kubernetes clusters
A new brand of malware designed to compromise Windows containers to reach Kubernetes clusters has been revealed by researchers.
The malware, dubbed Siloscape, is considered unusual as malware generally designed to target containers focuses on Linux as a popular operating system for managing cloud applications and environments.
According to Palo Alto Networks’ Unit 42, Siloscape, first discovered in March this year, has been named as such because its overall aim is to escape Windows containers via a server silo.
In a blog post on Monday, the cybersecurity researchers said Siloscape uses the Tor proxy and an .onion domain to connect to its command-and-control (C2) server, used by threat actors to manage their malware, data exfiltration, and to send commands.
The malware, labeled as CloudMalware.exe, targets Windows containers — using Server rather than Hyper-V isolation — and will launch attacks utilizing known vulnerabilities that have not been patched for initial access against servers, web pages, or databases.
Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges.
“Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 says. “More specifically, it links its local containerized X drive to the host’s C drive.”
If the malware is able to escape, it will then try to create malicious containers, steal data from applications running in compromised clusters, or will load up cryptocurrency miners to leverage the system’s resources to covertly mine for cryptocurrency and earn its operators profit for as long as the activities go undetected.
The malware’s developers have ensured that heavy obfuscation is in place — to the point where functions and module names are only deobfuscated at runtime — in order to…
Nearly 50,000 IPs Compromised in Kubernetes Clusters
Governance & Risk Management
,
IT Risk Management
Trend Micro: Cryptojacking Group TeamTNT Targets Clusters in Wormlike Attack
See Also: How IT Resilience Gaps Impact Your Business
Kubernetes, developed and backed by Google, is one of the most widely adopted container orchestration platforms for automating the deployment, scaling and management of containerized applications.
“The high number of targets shows that TeamTNT is still expanding its reach, especially in cloud environments, and perhaps infrastructure, since the group can monetize a more significant amount from their campaigns with more potential victims,” Magno Logan, information security specialist and senior threat researcher at Trend Micro, writes in a blog post.
Attractive Target
Kubernetes clusters are an attractive attack target because they are often misconfigured, the researchers say.
TeamTNT is a cloud-focused cryptojacking group that often targets Amazon Web Services credential files on compromised cloud systems to mine for the cryptocurrency Monero. Security researchers first spotted the group in 2020.
The group has been scanning for and compromising Kubernetes clusters in the wild, Trend Micro reports. Several IPs were repeatedly exploited between March and May, the company says.
In previous research, Trend Micro highlighted that TeamTNT was actively stealing AWS, Docker and Linux Secure Shell credentials as well waging cryptojacking attacks and placing backdoors – such as IRC bots and remote shells…
