Siloscape malware escapes Windows containers to backdoor Kubernetes clusters

Malware attacks against cloud containers are nothing new, but these attacks have primarily focused on Linux deployments because they are the most common and where containers were born. Now, attackers are targeting Docker deployments on Windows, and researchers have found a new malware program designed to escape from Windows Server Containers and infect Kubernetes clusters.

Dubbed Siloscape, the malware program is heavily obfuscated, uses a little-known Windows container escape technique and uses Tor for command-and-control communication. Its goal is to gain access to Kubernetes nodes and clusters and wait for further commands from attackers.

Docker and Windows Server containers

Docker and Kubernetes are the main technologies for deploying containerized applications on cloud infrastructure. They are also directly responsible for the popularity of the microservice architecture in modern software development, where software is broken down into loosely coupled services running independently in their own secure containers.

Docker is the technology used to set up containers and is based on the kernel-based virtualization features built into the Linux kernel, while Kubernetes is the platform used to manage those containers and the applications running in them across multiple hosts (nodes) grouped into networks (clusters).

As the two platforms gained massive popularity for software development and deployment, Microsoft wanted Docker and Kubernetes to be able to run on Windows Server as well, but the Windows kernel lacked some of the process and filesystem isolation features that allowed containers to share the same kernel on Linux.

The company developed some of those features and integrated them for the first time in Windows Server 2016, enabling a feature called Windows containers. This supports two modes of isolation: process isolation, which is similar to how Linux containers work where all containers share the host OS kernel, and Hyper-V isolation, which uses Microsoft’s Hyper-V hypervisor to set up lightweight virtual machines meaning each container has its own kernel.

Hyper-V-based containers offer better isolation, but they have a higher cost on hardware resources since each container is essentially a full-blown virtual machine and not just a kernel-enforced security boundary. That’s why containers on Windows Server default to the process isolation mode—also known as silo containers—and users who run Docker on Windows Server, possibly coupled with the Azure Kubernetes Service (AKS) for management, are likely to use them.

What is the Siloscape malware?

According to researchers from Palo Alto Networks who found Siloscape, the malware can only escape from silo containers and not Hyper-V containers. It does so using a variation of an escape technique that researchers warned about last year. The method involves abusing symbolic links to mount the host file system by impersonating a process called CExecSvc that runs in Windows containers. 

“To execute the system call NtSetInformationSymbolicLink that enables the escape, one must gain SeTcbPrivilege first,” Palo Alto researcher Daniel Prizmant, explained in a blog post. “There are a few ways to do this. For example, in my tests, I injected a DLL into CExecSvc.exe, which has the relevant privileges, and executed NtSetInformationSymbolicLink from the CExecSvc.exe context. Siloscape, however, uses a technique called Thread Impersonation. This method has little documentation online and even fewer working examples. The most critical function for this technique is the undocumented system call NtImpersonateThread.”

The use of the little-known thread impersonation technique suggests that the malware’s developers are skilled and sophisticated. This is also reflected in their use of heavy obfuscation in the malware and the passing of C&C server information and password as an encrypted command line argument instead of embedding it in the binary itself.

According to Prizmant, this is the first documented malware that was designed to target Windows containers and Kubernetes clusters specifically. The attackers break into containers by exploiting new, but publicly known, remote code execution vulnerabilities in applications or web servers that run in the container.

They then use the privilege escalation technique through CExecSvc.exe to escape the container and search for the kubectl.exe binary and configuration on the host system’s file system. Kubectl is a command-line tool that allows users to run commands against Kubernetes clusters, and its configuration file can contain the credentials needed to do so. The malware issues a Kubectl command to check if the compromised node has the permissions required to generate new deployments. If Kubectl is not found on the host, the attack is terminated.

Siloscape also deploys Tor on the host and uses it to connect to an .onion server address over the IRC protocol to wait for commands from the attackers. “Unlike other malware targeting containers, which are mostly cryptojacking-focused, Siloscape doesn’t actually do anything that will harm the cluster on its own,” Prizmant said. “Instead, it focuses on being undetected and untraceable and opens a backdoor to the cluster.”