Connect with us

Hi, what are you looking for?


Cloud Security

‘Siloscape’ Malware Targets Windows Server Containers

A newly identified piece of malware that targets Windows Server containers can execute code on the underlying node and then spread in the Kubernetes cluster, according to a warning from security researchers at Palo Alto Networks.

A newly identified piece of malware that targets Windows Server containers can execute code on the underlying node and then spread in the Kubernetes cluster, according to a warning from security researchers at Palo Alto Networks.

Dubbed Siloscape, the heavily obfuscated malware was designed to install a backdoor into Kubernetes clusters, which can then be used to run malicious containers and perform various other nefarious activities.

As part of the observed attacks, which have been ongoing for more than a year, initial access is achieved through web servers and other cloud applications, container escape techniques are used to execute code on the underlying node, after which the node’s credentials are abused to spread in the cluster.

According to Palo Alto Networks researcher Daniel Prizmant, Siloscape has snagged at least 23 victims to date, but the malware is believed to be part of a larger campaign. After gaining access to the malware’s command and control server, the researcher discovered that it was hosting a total of 313 users.

[Related: Google Releases Open Source Tool for Verifying Containers ]

“This malware can leverage the computing resources in a Kubernetes cluster for cryptojacking and potentially exfiltrate sensitive data from hundreds of applications running in the compromised clusters,” Prizmant said.

Typically, an attack starts with the malware operators abusing a known vulnerability to gain remote code execution inside a Windows container, which is then used to run Siloscape. Next, the malware escapes the container to compromise the host, checks if the host has privileges to create new Kubernetes deployments, and connects to the C&C server using Tor.

To escape the container, the malware impersonates CExecSvc.exe and then creates a symbolic link to its local containerized X drive to the host’s C drive. Next, it searches for specific Kubernetes files and makes sure it can execute kubectl commands.

Advertisement. Scroll to continue reading.

The main focus of the malware is to remain undetected on the compromised environment. Unlike other container-targeting malware that were designed for resource hijacking and denial of service (DoS), it opens a backdoor into the cluster, which allows its operators to perform all kinds of malicious activities.

Given that Siloscape targets Windows Server containers, administrators should make sure their cloud environments are properly secured and configured. Thus, Hyper-V containers should be employed for operations that rely on containerization as a security boundary, and Kubernetes clusters should be securely configured.

Related: Google Releases Open Source Tool for Verifying Containers

Related: ATT&CK v9 Introduces Containers, Google Workspace

Related: Mobile Apps Expose Data via Misconfigured Cloud Containers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...