Story image

Hackers exploit Tesla's AWS servers to mine cryptocurrency

22 Feb 2018

Tesla is reassuring customers that a recent cryptojacking has not compromised vehicle safety of customer privacy, despite the hack affecting the company’s cloud databases.

Security firm RedLock discovered the hack and reported its findings this week. They claim hackers were able to access Tesla’s public cloud computing environments and carry out cryptojacking activities within Tesla’s AWS environment.

"Our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way," a statement from Tesla says.

According to RedLock, cyberattackers gained access to Tesla’s Kubernetes administrative console, which in turn exposed Tesla’s AWS access credentials. Those credentials provided access to Tesla’s non-public information which was stored in S3 buckets.

Kubernetes administrative consoles have also been the subject of a number of other vulnerabilities. Last year RedLock discovered hundreds of consoles that leaked credentials to other applications.

In Tesla’s case, hackers were able to mine cryptocurrency by abusing Tesla cloud computing resources. They were also able to evade detection by using mining pool software and configured the malicious script to connect to an ‘unlisted’ endpoint. 

RedLock explains further in a blog:

The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging. Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic. Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.

RedLock researchers this hack demonstrates the importance of security in cloud environments.

“The message from this research is loud and clear—the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” comments RedLock CTO Gaurav Kumar.

“In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organisations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.”

 The RedLock team immediately notified Tesla of its findings from the hack. Tesla has since fixed the vulnerabilities.

RedLock offers the following suggestions for preventing similar compromises:

Monitor Configurations: With DevOps teams delivering applications and services to production without any security oversight, organisations should monitor for risky configurations. This involves deploying tools that can automatically discover resources as soon as they are created, determining the applications running on the resource, and applying appropriate policies based on the resource or application type. Configuration monitoring could have helped Tesla immediately identify that there was an unprotected Kubernetes console exposing their environment.

Monitor Network Traffic: By monitoring network traffic and correlating it with configuration data, Tesla could have detected suspicious network traffic being generated by the compromised Kubernetes pod.

Monitor for Suspicious User Behaviour: It is not uncommon to find access credentials to public cloud environments exposed on the internet, as was the case in the Uber breach. Organisations need a way to detect account compromises. This requires baselining normal user activities and detecting anomalous behaviour that goes beyond just identifying geo-location or time-based anomalies, but also identifying event-based anomalies; see figure 4 below for an example of anomalous user activity detected using the RedLock Cloud 360 platform. In this case, it is possible that Tesla’s AWS access credentials that were leaked from the unprotected Kubernetes pod were subsequently used to perform other nefarious activities.

Five things MSPs need to keep in mind in 2019
A Datto APAC channel exec outlines the most important factors for MSP to being paying attention to in the coming year.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nozomi and RIoT to deliver advanced ICS security solutions to Australia
''As a specialised integrator of robust and resilient ICT and IoT solutions within Australia, we are delighted to be partnering with Nozomi Networks."
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.