It was recently reported that a new malware that has been active for over a year is compromising Windows containers so as to compromise Kubernetes clusters.
Kubernetes are used to organize apps containers into pods, nodes, and clusters, with multiple nodes forming clusters managed by a master which coordinates cluster-related tasks including scaling or updating apps. The malware, called Siloscape, is then known to exploit vulnerabilities that impact web servers and databases and compromise Kubernetes.
Once it has compromised the web servers, the malware uses various container escape tactics in order to achieve code execution on the underlying Kubernetes node. Compromised nodes are then probed for credentials, allowing the malware to spread to other nodes in the Kubernetes cluster. Finally, the malware is able to establish communication channels and listens for incoming commands from its masters.
23 active victims were identified and it was found out that the server was hosting 313 users in total, revealing that the malware must have targeted much more servers and users.
It was reported that compromising an entire cluster is way more critical than compromising an individual container, as a cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application.
Kubernetes admins are thus advised to switch from Windows containers to Hyper-V containers so as to ensure that their cluster is safely configured to prevent malware attacks.