Siloscape – like silo + escape – is a new malware that targets windows containers. This comes as no surprise to anyone since cloud adoption has escalated aggressively over the last few years. Siloscape is a heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Siloscape aims to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.
Siloscape targets clusters instead of individual containers as they contain much more information like usernames and passwords for an entire organization, internal files, and confidential data, and even entire databases. What’s worse is that the attack could be escalated to ransomware instead of simply being a malware infestation attack.
Another critical problem arises as many organizations, moving to the cloud, use Kubernetes clusters as their testing and development environments. A breach of such an environment can lead to devastating software supply chain attacks. The .onion domain is used by the Tor proxy to anonymously connect to a C2 (command and control) server.
Several techniques and behaviors characterize the malware:
The malware can also leverage Kubernetes computing resources for data exfiltration and crypto-jacking.
The IOCs attached are vendor IOCs for their own variant.