Story image

Hackers exploit Tesla's AWS servers to mine cryptocurrency

22 Feb 2018

Tesla is reassuring customers that a recent cryptojacking has not compromised vehicle safety of customer privacy, despite the hack affecting the company’s cloud databases.

Security firm RedLock discovered the hack and reported its findings this week. They claim hackers were able to access Tesla’s public cloud computing environments and carry out cryptojacking activities within Tesla’s AWS environment.

"Our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way," a statement from Tesla says.

According to RedLock, cyberattackers gained access to Tesla’s Kubernetes administrative console, which in turn exposed Tesla’s AWS access credentials. Those credentials provided access to Tesla’s non-public information which was stored in S3 buckets.

Kubernetes administrative consoles have also been the subject of a number of other vulnerabilities. Last year RedLock discovered hundreds of consoles that leaked credentials to other applications.

In Tesla’s case, hackers were able to mine cryptocurrency by abusing Tesla cloud computing resources. They were also able to evade detection by using mining pool software and configured the malicious script to connect to an ‘unlisted’ endpoint. 

RedLock explains further in a blog:

The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging. Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic. Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.

RedLock researchers this hack demonstrates the importance of security in cloud environments.

“The message from this research is loud and clear—the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” comments RedLock CTO Gaurav Kumar.

“In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organisations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.”

 The RedLock team immediately notified Tesla of its findings from the hack. Tesla has since fixed the vulnerabilities.

RedLock offers the following suggestions for preventing similar compromises:

Monitor Configurations: With DevOps teams delivering applications and services to production without any security oversight, organisations should monitor for risky configurations. This involves deploying tools that can automatically discover resources as soon as they are created, determining the applications running on the resource, and applying appropriate policies based on the resource or application type. Configuration monitoring could have helped Tesla immediately identify that there was an unprotected Kubernetes console exposing their environment.

Monitor Network Traffic: By monitoring network traffic and correlating it with configuration data, Tesla could have detected suspicious network traffic being generated by the compromised Kubernetes pod.

Monitor for Suspicious User Behaviour: It is not uncommon to find access credentials to public cloud environments exposed on the internet, as was the case in the Uber breach. Organisations need a way to detect account compromises. This requires baselining normal user activities and detecting anomalous behaviour that goes beyond just identifying geo-location or time-based anomalies, but also identifying event-based anomalies; see figure 4 below for an example of anomalous user activity detected using the RedLock Cloud 360 platform. In this case, it is possible that Tesla’s AWS access credentials that were leaked from the unprotected Kubernetes pod were subsequently used to perform other nefarious activities.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.