It was a good run. For years, Kubernetes and containers seemed impervious to the ever-increasing threat of malware and ransomware; unfortunately, that streak has come to an end. A nasty little techno-critter has reared its head, and it may only be the beginning.
Siloscape got its name from its habit of trying to escape the silo that is its container and showed its ugly face back in March 2021. Discovered by Daniel Prizmant of Unit42 and documented in this write-up, it is the first known malware to operate exclusively from within a container and target backdoors inside poorly configured Kubernetes clusters. Prizmant details how the malware collects data at the cluster level, making any hosted databases, user credentials and any business-critical data inside an easy and obvious target for the autonomous attacker.
Siloscape is Just the Beginning
Prizmant explains just how dangerous Siloscape can be once it gets ahold of this data from within the Kubernetes cluster:
“Such an attack could even be leveraged as a ransomware attack by taking the organization’s files hostage. Even worse, with organizations moving to the cloud, many use Kubernetes clusters as their development and testing environments, and a breach of such an environment can lead to devastating software supply chain attacks,” he writes.
Prizmant managed to get into the Siloscape “command and control” sever and identified more than 23 victims of the malware and over 300 users participating in the attack, which he deemed only a small part of a much larger campaign. With all the information we now know about Siloscape, it is paramount to realize that this is just the first salvo—threats have just begun to manifest themselves against Kubernetes environments. When one attack can get through, more are soon to follow.
Now, if you thought containers and Kubernetes were impervious to all of this ransomware madness, there may be more disturbing news to consider. The discovery of Siloscape becomes especially more troubling when paired with a research study performed by Stackrox, which found that over 67% of respondents polled had detected some serious misconfiguration around their Kubernetes environment. Since Kubernetes is open source and available to so many individuals with wildly different skill levels, the potential risks are high. As a quick-to-deploy solution, the finer configuration and security setup details can be much more difficult to manage for an untrained end user. In other words, this could very quickly get out of hand.
Fortunately, it’s not all bad news. Many businesses and governments have already opened their eyes to the monumental risk malware poses and are raising awareness around these potential threats. Due to the increased risks associated with ransomware, U.S. president Biden recently called on Big Tech to help improve cybersecurity across the nation’s critical infrastructure and has urged businesses of all types to invest more heavily in cybersecurity efforts. As a result, additional requirements and standards for executives and business owners may not be far behind. Beyond the demands from Uncle Sam, there are numerous tactics any admin can take to help prevent malware targeted at Kubernetes.
Kubernetes Security Hygiene
Good IT behavior starts with the user. As someone who has witnessed the impacts of ransomware firsthand, I can attest to the importance of having good password hygiene. I recommend using unique, differentiated passwords for each user account, ensuring correct password (and data) encryption when static or in transit and keeping vulnerable and valuable data out of plaintext whenever possible. In the case of Kubernetes, you must ensure that you understand how to secure it from top to bottom. Kubernetes offers some of the most well-written and understandable documentation out there and includes an entire section on how to configure, manage and secure your cluster properly. Kubernetes can be an awesome way to level-up applications and services. Still, the importance of proper configuration of each Kubernetes cluster cannot be overstated.
In addition to good hygiene, having a trusted data management platform in place is essential for making protection and recovery from ransomware like Siloscape less burdensome. Whether you are rocking a build-your-own deployment of native K8s, operating in VMware Tanzu, Azure Kubernetes Service or mixing and matching a little bit of all the distributions out there, ensuring a healthy library of namespace backups brings confidence and expediency to recovery for Kubernetes should something go wrong. Pair this with the additional ability to recover an unaffected cluster in a secondary location, and the level of resiliency and effectiveness to quickly bring apps and services back online becomes readily achievable.
The good news is with proactive security behavior and data protection policies in place, you can avoid these pitfalls and, if the worst-case scenario does happen, you can recover to a last good working state. Ensuring Kubernetes admins are aware of the looming threat to the application stack is pivotal to its continued growth and success. Like the great team of philosopher counter-terrorists always said: “Knowing is half the battle!” While I always wondered what the other half of the battle was, I think it’s safe to say that it’s probably ensuring you have good data protection in place.