Hackers Hijack Tesla’s AWS servers, Use It To Mine Cryptocurrency
Tesla, the electric car manufacturer based in Palo Alto, California, is the latest victim of crypto-mining malware that allowed the hackers to covertly mine cryptocurrency – an attack known as ‘crypto-jacking’.
Researchers from the RedLock Cloud Security Intelligence (CSI) team discovered the breach on Tesla-owned Amazon cloud account last month and alerted the car manufacturer. The CGI security researchers came across the breach while trying to find out which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. The owner of the account happened to be Tesla, they said.
“We weren’t the first to get to it,” Varun Badhwar, CEO and co-founder of RedLock, told Fortune in a phone conversation. “Clearly, someone else had launched instances that were already mining cryptocurrency in this particular Tesla environment.”
The CGI researchers in their February 2018 Cloud Security Trends report said that the anonymous hackers infiltrated Tesla’s Kubernetes console (an open source system originally designed by Google to manage applications) that was not password protected and exposed access credentials to Tesla’s Amazon Web Services (AWS) environment.
The exposed Tesla AWS contained an Amazon Simple Storage Service (S3) bucket, which stored sensitive data such as telemetry, mapping, and vehicle servicing data, RedLock researchers stated. Once the hackers gained access to Tesla’s cloud servers, they installed cryptocurrency mining software called Stratum to mine cryptocurrencies and configured the malicious script to connect to an unlisted or semi-public endpoint. They then began cryptomining by obscuring the true IP address of the mining pool server behind Cloudflare and kept the CPU usage low to evade detection.
“In Tesla’s case, the cyber thieves gained access to Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment,” RedLock says. “Those credentials provided unfettered access to non-public Tesla information stored in Amazon Simple Storage Service (S3) buckets.”
Last year, RedLock had published a report that said that 53% of organizations using cloud storage services such as Amazon had accidentally exposed these to the public, with “hundreds” leaking credentials through services such as Kubernetes.
The CGI researchers said they are not certain of the type and the value of currency mined using the stolen power. They were also uncertain as to how long the intruders had access.
RedLock Vice President Upa Campbell told Motherboard that, “the crypto mining incidents have increased in tandem with rising cryptocurrency prices. As the values of cryptocurrencies rise we are seeing an epidemic”. Campbell also said that these hackers get easy profits from cryptomining rather than traditional data extraction.
“It used to be lucrative for hackers to steal a companies data but hackers will always take the path of least resistance,” she added. “Cryptojacking is a lot easier because they get into the environment and simply leverage the computer systems to generate money.”
Meanwhile, Tesla quickly rectified the cryptojacking issue after it was notified by RedLock. A Tesla spokesperson confirmed that no customer data or the safety and security of its vehicles was compromised by the breach.
“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it,” the spokesperson said. “The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”
RedLock CTO Gaurav Kumar said businesses should monitor doubtful cyber activities to avoid being exploited.
“The message from this research is loud and clear — the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” Kumar said in a statement Tuesday.
“In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence.”
He added: “However, security is a shared responsibility. Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.”