+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Windows Containers and Kubernetes under attack

Microsoft has warned that Kubernetes clusters are being targeted in a cryptomining attack while Palo Alto Networks has identified the first malware that targets Windows Containers – in order to compromise the Kubernetes clusters that host them.

Cryptomining on Kubernetes

Kubeflow is a popular framework for deploying Machine Learning workloads in a Kubernetes environment.  Microsoft reports they have detected a spike in criminals injecting their own pods into Kubeflow environments that then mine cryptocurrency at the expense of the victim.  The criminals are using legitimate images from the official Docker Hub, but they are configured to run the criminal’s mining workloads.  Unless the system admins responsible for the Kubernetes environment are on the ball, a couple of extra pods running in the environment might not be noticed… until the hosting bill arrives at the end of the month.

As with many attacks on cloud-based resources, the root cause of this attack is insecurely configured administration portals.  In this case, the Kubeflow dashboard was exposed to the internet allowing the attackers to configure their own additional workloads at the customers’ expense.

In their blog post, Microsoft provide advice on how to list and spot unexpected containers that have been added to your environment and point out how Azure Defender could help detect exposed Kubeflow deployments.

Siloscape malware targets Windows Containers

Palo Alto Network’s Unit 42 has discovered what they think is the first malware that targets Windows Containers running under Kubernetes. The malware has been named Siloscape as it is designed to escape the Windows Container and then compromise the entire Kubernetes cluster in order to run their own malicious containers or steal data from the victim’s other containers in the cluster.

Microsoft has long maintained that Windows Containers, unlike virtual machines, are not considered security boundaries – each application running in a Windows Container should be treated as if it is executing on the host directly.  However, in the case of Siloscape, they are treating the ability to escape the container without administrator privilege as a vulnerability. (CVE-2021-24096)

Siloscape targets common cloud applications using known vulnerabilities and then escapes the Windows container in order to gain the ability to execute on the underlying node and so spread to the entire Kubernetes cluster.  Siloscape then phones homes to its command & control server and awaits further commands.

According to the researcher at Unit 42, the Siloscape powered campaign appears to have been active for over a year with more than 300 victims so far.

Unlike other malware targeting containers, which are mostly cryptojacking-focused, Siloscape doesn’t actually do anything that will harm the cluster on its own. Instead, it focuses on being undetected and untraceable and opens a backdoor to the cluster.
~ Daniel Prizmant, Unit 42

If Siloscape determines that the Kubernetes cluster has been securely configured preventing the creation of new deployments it will simply exit, thus underlining the importance of using trusted security baselines to ensure your cloud environments are deployed securely.

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.