Windows, containers, Kubernetes, security, malware, Tor, This supports two modes of isolation, warned about last year, a blog post

Malware attacks against cloud containers are nothing new, but these attacks have primarily focused on Linux deployments because they are the most common and where containers were born.

Now, attackers are targeting Docker deployments on Windows, and researchers have found a new malware program designed to escape from Windows Server Containers and infect Kubernetes clusters.

Dubbed Siloscape, the malware program is heavily obfuscated, uses a little-known Windows container escape technique and uses Tor for command-and-control communication. Its goal is to gain access to Kubernetes nodes and clusters and wait for further commands from attackers.

Docker and Windows Server containers

Docker and Kubernetes are the main technologies for deploying containerised applications on cloud infrastructure. They are also directly responsible for the popularity of the microservice architecture in modern software development, where software is broken down into loosely coupled services running independently in their own secure containers.

Docker is the technology used to set up containers and is based on the kernel-based virtualisation features built into the Linux kernel, while Kubernetes is the platform used to manage those containers and the applications running in them across multiple hosts (nodes) grouped into networks (clusters).

As the two platforms gained massive popularity for software development and deployment, Microsoft wanted Docker and Kubernetes to be able to run on Windows Server as well, but the Windows kernel lacked some of the process and filesystem isolation features that allowed containers to share the same kernel on Linux.

The company developed some of those features and integrated them for the first time in Windows Server 2016, enabling a feature called Windows containers. This supports two modes of isolation: process isolation, which is similar to how Linux containers work where all containers share the host OS kernel, and Hyper-V isolation, which uses Microsoft’s Hyper-V hypervisor to set up lightweight virtual machines meaning each container has its own kernel.

Hyper-V-based containers offer better isolation, but they have a higher cost on hardware resources since each container is essentially a full-blown virtual machine and not just a kernel-enforced security boundary. That’s why containers on Windows Server default to the process isolation mode—also known as silo containers—and users who run Docker on Windows Server, possibly coupled with the Azure Kubernetes Service (AKS) for management, are likely to use them.

What is the Siloscape malware?

According to researchers from Palo Alto Networks who found Siloscape, the malware can only escape from silo containers and not Hyper-V containers. It does so using a variation of an escape technique that researchers warned about last year. The method involves abusing symbolic links to mount the host file system by impersonating a process called CExecSvc that runs in Windows containers.

“To execute the system call NtSetInformationSymbolicLink that enables the escape, one must gain SeTcbPrivilege first,” Palo Alto researcher Daniel Prizmant, explained in a blog post. “There are a few ways to do this. For example, in my tests, I injected a DLL into CExecSvc.exe, which has the relevant privileges, and executed NtSetInformationSymbolicLink from the CExecSvc.exe context.

“Siloscape, however, uses a technique called Thread Impersonation. This method has little documentation online and even fewer working examples. The most critical function for this technique is the undocumented system call NtImpersonateThread.”

The use of the little-known thread impersonation technique suggests that the malware‘s developers are skilled and sophisticated. This is also reflected in their use of heavy obfuscation in the malware and the passing of C&C server information and password as an encrypted command line argument instead of embedding it in the binary itself.

According to Prizmant, this is the first documented malware that was designed to target Windows containers and Kubernetes clusters specifically. The attackers break into containers by exploiting new, but publicly known, remote code execution vulnerabilities in applications or web servers that run in the container.

They then use the privilege escalation technique through CExecSvc.exe to escape the container and search for the kubectl.exe binary and configuration on the host system’s file system.

Kubectl is a command-line tool that allows users to run commands against Kubernetes clusters, and its configuration file can contain the credentials needed to do so. The malware issues a Kubectl command to check if the compromised node has the permissions required to generate new deployments. If Kubectl is not found on the host, the attack is terminated.

Siloscape also deploys Tor on the host and uses it to connect to an .onion server address over the IRC protocol to wait for commands from the attackers.

“Unlike other malware targeting containers, which are mostly cryptojacking-focused, Siloscape doesn’t actually do anything that will harm the cluster on its own,” Prizmant said. “Instead, it focuses on being undetected and untraceable and opens a backdoor to the cluster.”


Japan travel news, japan travel guides, japan holiday destinations and japan reviews

LATEST NEWS

NEWS RELATED

Sydney MSSP Nueva Solutions scores international deal with Anytime Fitness Asia

Sydney-based MSSP Nueva Solutions has landed a deal with Anytime Fitness Asia to provide email and endpoint security as a managed service. Nueva co-founders and directors Ferdinand Tadiaman and Cameron Cumming told CRN in an interview that Inspire Brands Asia found its newly acquired Anytime Fitness premises across nine countries…

Read more: Sydney MSSP Nueva Solutions scores international deal with Anytime Fitness Asia

Virgin, Westpac, ANZ, CommBank hit by widespread net outages

Australia’s central bank, the postal service and several commercial lenders, as well as other companies, grappled with internet outages on Thursday, disrupting customer accounts and financial transactions before some services were restored late in the day. One of the companies affected, Virgin Australia, said it was “one of many organisations…

Read more: Virgin, Westpac, ANZ, CommBank hit by widespread net outages

WSO2 buys Melbourne start-up Platformer

Open source API integration company WSO2 has acquired Melbourne-based cloud native application platform start-up Platformer.  With operations in Australia and Sri Lanka, Platformer allows developers and DevOps teams to deploy and manage their containerised workloads securely and at scale on Kubernetes.   The technology will play a central role in extending…

Read more: WSO2 buys Melbourne start-up Platformer

Behind the scenes of Verizon’s new SASE solution

Verizon has released its own SASE (secure access service edge) solution that combines network connectivity and security services into a unified, cloud-delivered service. The offering combines Versa SD-WAN, Zscaler threat protection, and Verizon’s own zero-trust SDP (software-defined perimeter) solutions to create the product it calls Advanced SASE. While there has…

Read more: Behind the scenes of Verizon’s new SASE solution

Tim Cook says proposed EU tech rules threaten security of iPhones

Apple boss Tim Cook took aim on Wednesday at proposed European rules aimed at curbing the power of U.S. tech giants, saying they could pose security and privacy risks to iPhones. Cook, in his first public comments about the Digital Markets Act (DMA) proposed by EU antitrust chief Margrethe Vestager,…

Read more: Tim Cook says proposed EU tech rules threaten security of iPhones

Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws

Three weeks after releasing patches for a critical vulnerability in VMware vCenter, thousands of servers that are reachable from the internet remain vulnerable to attacks. VMware vCenter is used by enterprises to manage virtual machines, the VMware vSphere cloud virtualisation solution, ESXi hypervisors, and other virtualised infrastructure components. Remote code…

Read more: Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws

Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws

Credit: Dreamstime View all images Three weeks after releasing patches for a critical vulnerability in VMware vCenter, thousands of servers that are reachable from the internet remain vulnerable to attacks. VMware vCenter is used by enterprises to manage virtual machines, the VMware vSphere cloud virtualisation solution, ESXi hypervisors, and other…

Read more: Thousands of publicly accessible VMware vCenter Servers vulnerable to critical flaws

ForcePoint to buy UK security provider Deep Secure for threat removal know-How

Platform security vendor Forcepoint revealed plans Tuesday to acquire cybersecurity company Deep Secure for its threat removal expertise. The agreement is Forcepoint’s second acquisition deal in two months. The acquisition of Deep Secure will let Forcepoint expand its Cross Domain Solutions portfolio with Deep Secure‘s Threat Removal Platform, as well…

Read more: ForcePoint to buy UK security provider Deep Secure for threat removal know-How

McDonald’s South Korea and Taiwan falls prey to data breach

McDonald’s South Korea and Taiwan falls prey to data breach

Singapore digital users lax on cyber security

Companies remain exposed to unmanaged BYOD risks during pandemic

US Supreme Court revives LinkedIn bid to shield personal data

From legacy to the cloud: The 3 stages of enterprise modernisation

From legacy to the cloud: The 3 stages of enterprise modernisation

AWS launches online security and privacy hub for ANZ

OTHER NEWS