Siloscape: Kubernetes’s Dark Side
I’m Arsalan Mirbozorgi,
There was a period of time when Kubernetes and containers appeared resistant to the growing menace of malware and ransomware. It’s simply the beginning of a nasty little tech-critter that has sprung up. When Siloscape first appeared in March 2021, it was given it’s name because of it’s penchant for trying to break out of it’s silo container. This is the first virus to target backdoors in poorly configured Kubernetes clusters, as discovered by Unit42’s Daniel Prizmant and reported in this write-up. In this post, Prizmant explains how the virus collects data at the cluster level, making any hosted databases, user passwords, and any business-critical data inside an easy and clear target for the attacker.
Siloscape Is Only the First Step
When Siloscape gets hold of this data, Prizmant demonstrates just how harmful it can be:
By holding the company’s files hostage, such an assault might be used as ransomware against them. As enterprises migrate to the cloud, Kubernetes clusters are increasingly used as development and testing environments, which can lead to “devastating software supply chain attacks,” he explains in his blog post.
Following his investigation into the Siloscape “command and control” server, Prizmant was able to identify at least 23 victims of the virus and more than 300 individuals who were directly or indirectly involved in the attack. Even though we have gained a great deal of knowledge about Siloscape, it is crucial to remember that this is only the start of our investigation. Kubernetes clusters are still susceptible to compromise. If one attack succeeds, it is unavoidable that others will attempt to do the same.
It appears that containers and Kubernetes may not be completely immune to ransomware after all, according to some frightening new evidence. An investigation carried out by Stackrox revealed that more than 67% of the respondents had detected some form of significant misconfiguration in their Kubernetes system when they were questioned. When these findings are combined with the discovery of Siloscape, the situation gets even more complicated. The risks connected with utilizing open-source Kubernetes, available to people of all skill levels and accessible to everyone, are significant. Because of the complexity of the finer features, an inexperienced user may find it difficult to set up and secure a quick-to-deploy solution due to the lack of documentation. This may also spiral out of control in the not-too-distant future.
However, the news is not all depressing. Malware is a huge threat to companies and governments, and many are taking steps to raise public awareness of the dangers it presents to their operations and citizens. The growing threat of ransomware has prompted Vice President Joe Biden to advocate for increased investment in cybersecurity efforts by businesses of all kinds and for Big Tech to contribute to the enhancement of cybersecurity throughout the nation’s critical infrastructure. As a result, CEOs and business owners may be subjected to more obligations and rules shortly. Beyond the obligations of the United States government, there is a myriad of tactics that every Kubernetes administrator can implement to help avoid malware.
What is Kubernetes Security Hygiene?
The first step toward appropriate IT conduct is to educate the user. If you’ve ever been a victim of ransomware, you’ll realize the importance of maintaining good password hygiene practices. Each user account should have its own password, and passwords should be encrypted when they are kept in plaintext, when they are in transit, and when they are static and in transit. You must understand how to defend Kubernetes from the ground up. There is a section on how to configure, administer, and secure your cluster in Kubernetes’ well-written and understandable instructions, which are available online. If you want to enhance the performance of your apps and services, Kubernetes is a fantastic choice. Nevertheless, the configuration of a Kubernetes cluster cannot be overstated in terms of its significance.
Protecting against and recovering from ransomware such as Siloscape is significantly easier when a reputable data management platform is implemented, in addition to maintaining strong personal hygiene habits. Namespace backups for Kubernetes are critical for a successful recovery in the event that something goes wrong, regardless of whether you are running native K8s, using VMware Tanzu or Azure Kubernet service, or a combination of a little bit of all of the distributions. The ability to quickly bring back applications and services online can be obtained when combined with restoring a non-impacted cluster in a secondary site.
Proactive security behavior and data protection rules, on the other hand, can help you avoid these dangers and even restore your system to its most recent operational state if the worst-case scenario occurs. If Kubernetes continues to grow and prosper, its administrators must know the danger looming over their heads. “Knowledge is half the battle!” said the great counter-terrorist intellectuals throughout history. With the exception of being curious about the other issue, I believe it is realistic to conclude that data protection is, without a doubt, the most critical issue.