A researcher at Unit 42 has discovered a new malware that has been active for over a year. The malware has been named Siloscape and is the first malware that has been seen exploiting known vulnerabilities impacting web servers and databases with the end goal of compromising Kubernetes nodes and backdooring clusters. Kubernetes was initially developed by Google and is currently maintained by the Cloud Native Computing Foundations. It is an open-source system that helps automate the deployment, scaling, and management of containerized workloads, services, and apps over clusters of hosts. According to researchers, Siloscape is heavily obfuscated and targets Kubernetes clusters through Windows containers. This is the first time that researchers have observed Kubernetes targeted through Windows—more often, Kubernetes clusters are targeted through Linux due to how often Linux is used in cloud environments. Once it compromises the web servers, Siloscape uses various container escape tactics to achieve code execution on the underlying Kubernetes node. The malware will then probe the node for credentials to try and spread to other nodes. In the final stage of infection, the malware established a Command and Control (C2) server connection through an IRC server over the Tor network.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that