Protecting Against Kubernetes-Borne Ransomware

The conventional wisdom that virtual container environments were somehow immune from malware and hackers has been upended.

Sonya Duffin, Ransomware and Data Protection Expert, Veritas Technologies

July 19, 2022

3 Min Read
Kubernetes site
Source: dennizn via Alamy Stock Photo

Kubernetes and container technology in general had a good run as seemingly immune to malware, but that ended when Siloscape burst onto the scene in March 2021. It was the first known threat targeting Kubernetes environments to potentially do all kinds of nefarious things, including spread ransomware. In the ensuing 16 months, Siloscape has undoubtedly provided other cybercriminals with a blueprint for attacking container environments.

It's worth reviewing the details of Siloscape. Threat researcher Daniel Prizmant, who discovered the malware, put it this way: "Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.

"Compromising an entire cluster is much more severe than compromising an individual container, as a cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application," he continued. "For example, the attacker might be able to steal critical information such as usernames and passwords, an organization's confidential and internal files or even entire databases hosted in the cluster. Such an attack could even be leveraged as a ransomware attack by taking the organization’s files hostage."

A Distant Threat? No! 

It's easy to fall into the trap of thinking this is some distant threat affecting an obscure technology few companies are deploying.

Au contraire. Prizmant himself pointed out that "with organizations moving to the cloud, many use Kubernetes clusters as their development and testing environments, and a breach of such an environment can lead to devastating software supply chain attacks."

And recent research revealed one-third of organizations already rely on Kubernetes. Of the remaining two-thirds that do not yet use it, 86% expect to deploy the technology in the next two to three years.

Alarmingly, though, just 33% of organizations that have deployed Kubernetes so far have tools in place to protect their container environments against data loss incidents such as ransomware. That may be why it didn't take long for Prizmant's ransomware prediction to come true — the same research revealed that barely a year later, almost half of organizations that have deployed Kubernetes have already experienced a ransomware attack on their container environments, while a staggering 89% of respondents said that ransomware attacks on Kubernetes environments are "an issue" for their organizations today.

Does this mean that Kubernetes is the new weak link in data protection? The Achilles' heel in defense against ransomware?

Siloscape is undoubtedly just the first in a lineup of threats that will target Kubernetes environments as the technology continues to gain steam.

The Simplest Solution

Unfortunately, most organizations are overlooking the simplest solution: extending current data protection from their traditional workloads out across their containerized environments. Beyond the ability to quickly protect Kubernetes workloads, this approach has other benefits, including a simplified data restoration process and a single place to manage protection data.

Other keys to protecting Kubernetes environments against ransomware and other data loss threats are:

  • Use Transport Layer Security (TLS) for all API traffic.

  • Choose an authentication mechanism for the API servers to use that matches the common access patterns when you install a cluster.

  • Enable role-based access control.

  • Control access to the kubelet through kubelet authentication and authorization.

  • Set appropriate resource quotas and limit ranges.

  • Properly configure pod security admission.

  • Add rules to prevent containers from loading unwanted kernel modules.

  • Restrict network access.

  • Restrict cloud metadata API access.

  • Set controls for controlling which nodes pods may access.

  • Enable audit logging.

  • Restrict access to alpha and beta features.

  • Rotate infrastructure credentials frequently.

  • Review third party integrations before enabling them.

Learn more about these steps from Kubernetes here.

Kubernetes is easy for organizations to deploy, and quickly improves affordability, flexibility, and scalability — it's no wonder so many are embracing containerization. But because deployment is so simple, organizations can easily surge ahead faster with their Kubernetes implementation than their Kubernetes protection. Follow the guidance here to avoid letting that happen to you.

About the Author(s)

Sonya Duffin

Ransomware and Data Protection Expert, Veritas Technologies

Sonya Duffin is a ransomware and data protection expert at Veritas Technologies. With a background in both the private and public sectors, she currently focuses on communicating complex topics like ransomware-related legislation and cybersecurity hygiene best practices to customers in a way that translates into actionable strategies to better protect data. Duffin completed both her undergraduate (BA) and graduate studies (MBA) at Santa Clara University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights