Story image

Hackers exploit Tesla's AWS servers to mine cryptocurrency

22 Feb 2018

Tesla is reassuring customers that a recent cryptojacking has not compromised vehicle safety of customer privacy, despite the hack affecting the company’s cloud databases.

Security firm RedLock discovered the hack and reported its findings this week. They claim hackers were able to access Tesla’s public cloud computing environments and carry out cryptojacking activities within Tesla’s AWS environment.

"Our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way," a statement from Tesla says.

According to RedLock, cyberattackers gained access to Tesla’s Kubernetes administrative console, which in turn exposed Tesla’s AWS access credentials. Those credentials provided access to Tesla’s non-public information which was stored in S3 buckets.

Kubernetes administrative consoles have also been the subject of a number of other vulnerabilities. Last year RedLock discovered hundreds of consoles that leaked credentials to other applications.

In Tesla’s case, hackers were able to mine cryptocurrency by abusing Tesla cloud computing resources. They were also able to evade detection by using mining pool software and configured the malicious script to connect to an ‘unlisted’ endpoint. 

RedLock explains further in a blog:

The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging. Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic. Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.

RedLock researchers this hack demonstrates the importance of security in cloud environments.

“The message from this research is loud and clear—the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” comments RedLock CTO Gaurav Kumar.

“In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organisations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.”

 The RedLock team immediately notified Tesla of its findings from the hack. Tesla has since fixed the vulnerabilities.

RedLock offers the following suggestions for preventing similar compromises:

Monitor Configurations: With DevOps teams delivering applications and services to production without any security oversight, organisations should monitor for risky configurations. This involves deploying tools that can automatically discover resources as soon as they are created, determining the applications running on the resource, and applying appropriate policies based on the resource or application type. Configuration monitoring could have helped Tesla immediately identify that there was an unprotected Kubernetes console exposing their environment.

Monitor Network Traffic: By monitoring network traffic and correlating it with configuration data, Tesla could have detected suspicious network traffic being generated by the compromised Kubernetes pod.

Monitor for Suspicious User Behaviour: It is not uncommon to find access credentials to public cloud environments exposed on the internet, as was the case in the Uber breach. Organisations need a way to detect account compromises. This requires baselining normal user activities and detecting anomalous behaviour that goes beyond just identifying geo-location or time-based anomalies, but also identifying event-based anomalies; see figure 4 below for an example of anomalous user activity detected using the RedLock Cloud 360 platform. In this case, it is possible that Tesla’s AWS access credentials that were leaked from the unprotected Kubernetes pod were subsequently used to perform other nefarious activities.

Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.