Prisma Cloud by Palo Alto Networks sponsored this article.
Enterprises deploying applications in containers often have too little understanding of the technology’s security risks. And that’s good news for cybercriminals.
According to a survey of 150 cloud native security practitioners released in July by Aqua Security, only 3% of respondents understood that a container, by itself, is not a security boundary and less than a quarter have tools in place to secure containers at runtime.
The malware takes advantage of a vulnerability in an undocumented function in the Windows kernel, he told The New Stack.
“This function can make a symbolic link — an object that points to another object — global, which practically makes an open link between the container and the host,” he said.
In practical terms, this affords the attackers tons of possibilities, he added. “This malware could be launched to use a variety of attacks, including a supply chain attack,” he said.
For example, a software company’s software could be compromised so that all of the software’s users are infected with malware, as recently happened with the attacks leveraging SolarWinds and Kaseya IT management software.
Or attackers could infect a web server cluster and turn it into a huge phishing station, Prizmant said.
This type of malware can also be used for cryptojacking, where attackers use hijacked servers to mine Bitcoin and other cryptocurrencies.
“They generate easy money by stealing processing power,” he said.
Windows Containers Vulnerable
Attackers are already exploiting this vulnerability in the wild, and anyone using Kubernetes clusters in conjunction with Windows containers is potentially vulnerable. In June, Pirzmant identified 23 victims that were actively under the attack, which had been going on for more than a year.
“It signals that not only are there Windows workloads being stood up in environments, they are not being addressed through patching, and their permissions may be overly permissive,” he said.
The companies probably lifted and shifted their workloads from Windows on-premise to Kubernetes, he said, and may have not fully considered all of the challenges that may come with being an early adopter of the approach.
“Microsoft Windows doesn’t have all the necessary restrictions that Linux does, and even in Linux, we still find container breakouts,” he added.
How to Defend Against Siloscape
To defend against Siloscape, companies should ensure that Windows containers only have the permissions that they need to function, no more, and review security configurations for their clusters and cloud environments.
Companies should also deploy container-aware endpoint security tools that can scan for attacks, Frost said.
“Containers are more application-packaging solutions than security boundaries like virtual machines are,” he said. “The more we are aware of that, the better we can model risk.”
Microsoft itself recommends that companies not use Windows containers as a security feature, and instead use Hyper-V containers for anything that relies on containerization as a security boundary.
However, Microsoft recently added additional security checks. For example, there’s now a check on the key function used in the Siloscape attack that allows the malware to escape from a container. If the function is called from inside the container, it will be blocked.
Most importantly, though, is that companies need to ensure that all the systems are patched and up-to-date, said Nathan Paulhus, security specialist at cybersecurity firm Threat Stack.
“All the observed infections were via Windows containers running vulnerable software,” Paulhus said. “If the vulnerabilities weren’t there, the initial foothold wouldn’t take place.”
In order to get their Siloscape malware into the Windows containers in the first place, attackers had to find an entry point.
“There’s a bunch of software people run, probably because of technical debt, that they’re unable to update,” he said. “Or perhaps they are short of resources.”
The Siloscape malware also communicated out to its command and control servers using the Tor proxy and an onion domain.
“If your company doesn’t use or need access to Tor, you probably want to stop those DNS requests from resolving,” Paulhus said.
Guarding Against Future Attacks
Since the specific vulnerability that Siloscape leveraged has already been patched by Microsoft, we probably won’t see many attacks using this specific vector, said Palo Alto’s Prizmant.
“However, I do expect to see other malware that tries to abuse Kubernetes processing power by escaping the container,” he said.
To defend themselves, companies should follow best practices for cloud environment configuration, he said. “For example, don’t allow nodes full access. Don’t run privileged containers.”
But companies should also train their security teams and employees to recognize when systems have been compromised.
“As technology advances, so does the attack surface and the potential for different compromises,” he said.
This requires that companies continually review their security policies with an eye towards the changing threat landscape, he said.
This is especially true for containers. According to a report released in July by Red Hat, 94% of companies surveyed experienced at least one security incident in their Kubernetes environment over the previous year.
And more than half reported having delayed deploying Kubernetes applications due to security concerns.
The guide is highly detailed and valuable, said Threat Stack’s Paulhus. “Especially for adopters of Kubernetes. There’s a lot to be said for hardening of the cluster.”
The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: Kaseya.
Prisma Cloud by Palo Alto Networks and Red Hat OpenShift are sponsors of The New Stack.