SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Hackers exploit Tesla's AWS servers to mine cryptocurrency
Thu, 22nd Feb 2018
FYI, this story is more than a year old

Tesla is reassuring customers that a recent cryptojacking has not compromised vehicle safety of customer privacy, despite the hack affecting the company's cloud databases.

Security firm RedLock discovered the hack and reported its findings this week. They claim hackers were able to access Tesla's public cloud computing environments and carry out cryptojacking activities within Tesla's AWS environment.

"Our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way," a statement from Tesla says.

According to RedLock, cyberattackers gained access to Tesla's Kubernetes administrative console, which in turn exposed Tesla's AWS access credentials. Those credentials provided access to Tesla's non-public information which was stored in S3 buckets.

Kubernetes administrative consoles have also been the subject of a number of other vulnerabilities. Last year RedLock discovered hundreds of consoles that leaked credentials to other applications.

In Tesla's case, hackers were able to mine cryptocurrency by abusing Tesla cloud computing resources. They were also able to evade detection by using mining pool software and configured the malicious script to connect to an ‘unlisted' endpoint.

RedLock explains further in a blog:

The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging. Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic. Lastly, the team also observed on Tesla's Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.

RedLock researchers this hack demonstrates the importance of security in cloud environments.

“The message from this research is loud and clear—the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” comments RedLock CTO Gaurav Kumar.

“In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organisations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.

 The RedLock team immediately notified Tesla of its findings from the hack. Tesla has since fixed the vulnerabilities.

RedLock offers the following suggestions for preventing similar compromises:

Monitor Configurations: With DevOps teams delivering applications and services to production without any security oversight, organisations should monitor for risky configurations. This involves deploying tools that can automatically discover resources as soon as they are created, determining the applications running on the resource, and applying appropriate policies based on the resource or application type. Configuration monitoring could have helped Tesla immediately identify that there was an unprotected Kubernetes console exposing their environment.

Monitor Network Traffic: By monitoring network traffic and correlating it with configuration data, Tesla could have detected suspicious network traffic being generated by the compromised Kubernetes pod.

Monitor for Suspicious User Behaviour: It is not uncommon to find access credentials to public cloud environments exposed on the internet, as was the case in the Uber breach. Organisations need a way to detect account compromises. This requires baselining normal user activities and detecting anomalous behaviour that goes beyond just identifying geo-location or time-based anomalies, but also identifying event-based anomalies; see figure 4 below for an example of anomalous user activity detected using the RedLock Cloud 360 platform. In this case, it is possible that Tesla's AWS access credentials that were leaked from the unprotected Kubernetes pod were subsequently used to perform other nefarious activities.