Tesla cloud systems exploited by hackers to mine cryptocurrency

Updated: Researchers have discovered that Tesla's AWS cloud systems were compromised for the purpose of cryptojacking.

screen-shot-2018-02-20-at-09-43-57.jpg
Tesla

Tesla's cloud environment has been exploited by threat actors to mine cryptocurrencies, researchers have discovered.

On Tuesday, cloud security firm RedLock released the firm's 2018 Cloud Security Trends report which documents the discovery of an unprotected Kubernetes console belonging to automaker Tesla.

The Kubernetes console is used to automate the deployment, scaling, and operation of application containers, virtualized software, and some cloud-based services.

Google's open-source Kubernetes system is used securely by countless enterprise players worldwide, but in this case, an unsecured console exposed access credentials to Tesla's Amazon Web Services (AWS) environment.

Researchers from the RedLock Cloud Security Intelligence (CSI) team discovered that cryptocurrency mining scripts, used for cryptojacking -- the unauthorized use of computing power to mine cryptocurrency -- were operating on Tesla's unsecured Kubernetes instances, which allowed the attackers to steal the Tesla AWS compute resources to line their own pockets.

Tesla's AWS system also contained sensitive data including vehicle telemetry, which was exposed due to the unsecured credentials theft.

"In Tesla's case, the cyber thieves gained access to Tesla's Kubernetes administrative console, which exposed access credentials to Tesla's AWS environment," RedLock says. "Those credentials provided unfettered access to non-public Tesla information stored in Amazon Simple Storage Service (S3) buckets."

The unknown hackers also employed a number of techniques to avoid detection. Rather than using typical public mining pools in their scheme, for example, the threat actors instead installed mining pool software and instructed the mining script to connect to an unlisted endpoint.

According to the researchers, this technique makes it more difficult for domain and IP-based threat detection systems to detect such activity.

In addition, the cyberattackers hid the true IP address of the mining pool to keep CPU usage low and prevent a level of suspicious traffic which would likely have been quickly detected.

The RedLock team made Tesla immediately aware of the discovery and the security issues surrounding the Kubernetes console have now been addressed.

Within the report, RedLock also said that the "cryptocurrency effect" is in full sway. Threat actors have begun using scripts, ransomware, and other tactics to mine or steal valuable cryptocurrency assets.

While roughly eight percent of organizations are now believed to suffer from this type of attack, the majority has gone unnoticed due to ineffective network monitoring.

In addition, the company says that poor use and API access rules have led to close to three-quarters of businesses allowing root user accounts to be used to perform general activities, and with the General Data Policy Regulation (GDPR) going into effect in a matter of months, "organizations are far from where they need to be to effectively govern the cloud and ensure compliance."

See also: Hack the Air Force 2.0 uncovers over 100 vulnerabilities

"The message from this research is loud and clear-the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities," said Gaurav Kumar, CTO of RedLock. "Security is a shared responsibility: Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough."

Update 15.46 GMT: A Tesla spokesperson told ZDNet:

"We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way."

Earlier this month, it was revealed that hundreds of government-related websites across the UK, Australia, and the US had been compromised through a third-party service to mine cryptocurrency via visitor CPUs. Over 4,000 websites were affected.

Previous and related coverage