Tesla Falls to Crypto-Jackers

Written by

Telsa, the green-car, solar and satellite company headed by Elon Musk, has fallen victim to hackers and crypto-jackers.

RedLock CSI researchers found that bad actors intruded into Tesla’s public cloud environment to gain unauthorized access to nonpublic Tesla data like vehicle telemetry and steal compute resources within Tesla’s Amazon Web Services (AWS) environment to mine cryptocurrencies.

At issue was Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment. Those credentials provided unfettered access to Tesla's Amazon Simple Storage Service (S3) buckets.

The cyber-thieves also performed crypto-jacking using Tesla’s cloud compute resources and employed specific techniques to evade detection. For example, instead of the more familiar public “mining pool,” they installed mining pool software and configured the malicious script to connect to an unlisted endpoint. That makes it harder for standard IP/domain-based threat intelligence feeds to detect malicious activity.

Other tricks included hiding the true IP address of the mining pool server behind Cloudflare and likely keeping CPU usage low to further evade detection.

The issue is not an isolated one: The CSI team has, over time, found hundreds of Kubernetes administration consoles left accessible over the internet without password protection, which leak credentials to other critical applications. In this case, the researchers immediately informed Tesla of its findings, and the misconfiguration was addressed.

RedLock’s latest Cloud Security Trends research report, released this week, found that 83% of vulnerable hosts in the cloud are receiving suspicious traffic, suggesting attempted exploitation, and 15% of these hosts are exhibiting activity patterns associated with instance compromise or reconnaissance by attackers. It also found that 8% of organizations have crypto-jacking activity within their cloud environments. The RedLock CSI team anticipates this will rapidly increase in the near future.

Account compromises also keep rising: Poor user and API access hygiene, combined with ineffective visibility and user activity monitoring, are causing organizations to be more vulnerable to breaches. For example, 73% of organizations allow the root user account to be used to perform activities – behavior that goes against security best practices. Furthermore, 16% of organizations have user accounts that have potentially been compromised.

All of this means that many businesses are still a long way from compliance: The General Data Policy Regulation (GDPR) goes into effect in a few months, but the analysis shows that 66% of databases are not encrypted.

“The message from this research is loud and clear – the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” said Gaurav Kumar, CTO of RedLock and head of the CSI team. “In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic and host vulnerabilities. Without that, anything the providers do will never be enough.”

What’s hot on Infosecurity Magazine?