Tutkijat löysivät Siloscape-haittaohjelmat, jotka kohdistuvat Windows Server -säiliöihin ja Kubernetes-klustereihin

Helga Smithkesäkuu 9, 2021Viimeksi päivitetty: kesäkuu 14, 2021
7 2 minuuttia luettu

Researchers at Palo Alto Networks ovat löytäneet a highly obfuscated Siloscape malware that breaks into Windows Server containers in order to compromise Kubernetes clusters. The ultimate goal of attackers is to deploy a backdoor that can be used for other malicious activities.

Experts write that for the first time such attacks were noticed in early March, but they have been going on for at least a year. The attackers behind this campaign scan the network for common cloud applications and then use exploits against them for various old vulnerabilities.

If a web application is running inside a Windows Server container, attackers use the Siloscape malware, which exploits the previously documented escape container method to gain access to the underlying OS.

If the OS is running as a Kubernetes node, hackers also extract the node’s credentials and then use them to navigate to the Kubernetes back-end infrastructure and deploy new nodes with malicious features.

Hacking an entire cluster is much more serious than compromising a single container, since a cluster can run multiple cloud applications, whereas a single container typically runs one cloud application. Esimerkiksi, an attacker could steal sensitive information such as usernames and passwords, confidential and internal organization files, or even entire databases hosted on a cluster.from Palo Alto Networks specialists say

Siloscape also downloads and installs a Tor client on the infected system to communicate with its C&C server and receive commands from its operators via IRC.

Tutkijat löysivät Siloscape-haittaohjelman

Palo Alto Networks company specialists report that they was able to gain access to this server, and currently attackers have infected more than 300 järjestelmät. Samaan aikaan, the ultimate goal of the hackers is not completely clear.

“Unlike other malware targeting containers and mainly targeting cryptojacking, Siloscape doesn’t actually do anything to damage the cluster itself. Sen sijaan, it focuses on ensuring that it cannot be detected and tracked, and opens a backdoor into the cluster,"asiantuntijat sanovat.

It is speculated that attackers could lease to other criminals access to some of the larger compromised companies, including the ransomware operators.

Tutkijoiden mukaan, companies should start moving applications from Windows containers to Microsoft Hyper-V as soon as possible, as Microsoft itself recommends using Microsoft Hyper-V instead of the old and less secure container mechanism.

Siloscape shows the importance of container security, as the malware wouldn’t be able to cause any significant damage if not for the container escape. It is critical that organizations keep a well-configured and secured cloud environment to protect against such threats.

Haluan muistuttaa teitä siitä, että puhuin myös siitä XCSSET-haittaohjelma käyttää 0 päivän hyökkäyksiä macOS: ssa.

Tunnisteet
Helga Smithkesäkuu 9, 2021Viimeksi päivitetty: kesäkuu 14, 2021
7 2 minuuttia luettu

Helga Smith

Olin aina kiinnostunut tietojenkäsittelytieteistä, erityisesti tietoturva ja teema, jota kutsutaan nykyään "datatiede", jo varhaisesta teini-ikäisestäni. Ennen tulemista viruksenpoistotiimiin päätoimittajana, Olen työskennellyt kyberturvallisuuden asiantuntijana useissa yrityksissä, mukaan lukien yksi Amazonin urakoitsijoista. Toinen kokemus: Olen opettanut Ardenin ja Readingin yliopistoissa.

Jätä vastaus

Tämä sivusto käyttää Akismet roskapostin vähentämiseksi. Opi kommenttisi tietoja käsitellään.

Takaisin alkuun-painike