Malware attacks against cloud containers are nothing new, but these attacks have primarily focused on Linux deployments because they are the most common and where containers were born.
Now, attackers are targeting Docker deployments on Windows, and researchers have found a new malware program designed to escape from Windows Server Containers and infect Kubernetes clusters.
Dubbed Siloscape, the malware program is heavily obfuscated, uses a little-known Windows container escape technique and uses Tor for command-and-control communication. Its goal is to gain access to Kubernetes nodes and clusters and wait for further commands from attackers.
Docker and Windows Server containers
Docker and Kubernetes are the main technologies for deploying containerized applications on cloud infrastructure. They are also directly responsible for the popularity of the microservice architecture in modern software development, where software is broken down into loosely coupled services running independently in their own secure containers.
Docker is the technology used to set up containers and is based on the kernel-based virtualization features built into the Linux kernel, while Kubernetes is the platform used to manage those containers and the applications running in them across multiple hosts (nodes) grouped into networks (clusters).
The company developed some of those features and integrated them for the first time in Windows Server 2016, enabling a feature called Windows containers. This supports two modes of isolation: process isolation, which is similar to how Linux containers work where all containers share the host OS kernel, and Hyper-V isolation, which uses Microsoft’s Hyper-V hypervisor to set up lightweight virtual machines meaning each container has its own kernel.