Palo Alto Networks Finds First Windows Container Malware

Palo Alto Networks revealed today it has discovered the first known malware targeting Windows containers. Dubbed Siloscape, the malware employs sophisticated code obfuscation techniques to create a backdoor into a Kubernetes cluster running Window containers that could be exploited later.

Matt Chiodi, chief security officer at Palo Alto Networks, says the malware has been targeting Windows container environments now for more than a year, and communicates to its command and control (C2) server over a Tor network. Thus far, Unit 42 researchers have been able to identify 23 Siloscape victims.

Unit 42 researchers have not been able to determine where Siloscape originated, but Microsoft has been alerted to the issue, notes Chiodi.

While it’s still early days as far as adoption of containers in Windows environments is concerned, Chiodi says hundreds of millions of Windows containers have been downloaded from the DockerHub repository in the last year. That level of activity will undoubtedly attract the attention of cybercriminals that target Windows platforms, says Chiodi.

The most surprising thing about Siloscape is its sophistication, Chiodi adds. Most of the malware targeting Linux containers is designed to enable cybercriminals to mine digital currency as part of a cryptojacking attack. The Siloscape malware is a Trojan horse that creates a backdoor for any number of types of attacks including ransomware attacks, a distributed denial of service (DDoS) attack or data exfiltration attempt. Siloscape may reside on a cluster for months before it is activated, which only serves to accentuate the need for cybersecurity teams to double down on threat hunting to discover malware before it is activated.

Many organizations tend to be somewhat complacent when it comes to container security because the assumption is the lifespan of a container running in a production environment is, at most, a few minutes. However, cybercriminals have, time and again, shown their ability to exploit vulnerabilities in a matter of seconds once they are discovered. Those same cybercriminals also recognize that, when they detect containers, it signals the presence of a modern application that is likely to be driving a digital business transformation initiative. That application, by definition, represents a potential high-value target. Unfortunately, many of the developers building those applications don’t tend to have a lot of cybersecurity expertise.

Worse yet, now that Siloscape has been detected, it’s almost certain other types of similar attacks are on the way—in fact, they may already be present and just haven’t been detected yet. However, as they become more prevalent it’s now only a matter of time before organizations are required to embrace DevSecOps best practices to combat these more sophisticated threats. In fact, the rise of container security threats may finally force the issue, as the rate of change within IT environments continues to overwhelm cybersecurity teams. The challenge is, rather than shifting responsibility for security entirely left toward developers, the entire organization needs to learn how to lean left to identify emerging threats to the software supply chain like Siloscape.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1497 posts and counting. See all posts by Mike Vizard