The hijacking of Tesla’s Amazon Web Server cloud system by rogue cryptominers is proof that no one is immune to a misconfigured AWS server nor cryptomining attacks.
RedLock researchers discovered an unprotected Kubernetes console, belonging to Tesla, that exposed access credentials to Tesla’s Amazon Web Services environment.
“Essentially, hackers were running crypto mining scripts on Tesla’s unsecured Kubernetes instances,” researchers said in their February 2018 Cloud Security Trends report. “To conceal their identity, the scripts were connecting to servers that reside behind CloudFlare, a content delivery network.”
The AWS system also contained valuable information such as vehicle telemetry and the nefarious network activity went unnoticed by Tesla due to techniques threat actors used to conceal their activities, the researchers said.
Threat actors made it difficult for domain and IP-based threat detection systems to spot their activities by hiding the true IP address of the mining pool to keep CPU usage low and prevent a level of suspicious traffic which would brought attention to the cryptominers.
The prevalence of unsecured AWS servers and cryptomining attacks suggested it was only a matter of time before the two were exploited to carry out an attack. Despite the inevitability of the attack, researchers argue both Amazon and Tesla both share responsibility for the attack although some say Amazon could do more to prevent these attacks that have become so frequent.
“Even with this model, I think that AWS could play a bigger role by offering their services like Guard Duty for free for customers so they can take advantage of AWS’s visibility to their platform,” David Cook, CISO of Databricks told SC Media. “Things like rogue services like bitcoin miners can be identified quickly.”
Even if these were offered, Cook said customers still must follow best practices such as change management, key management, regular services scans, monitoring, and scanning. Some researchers believe that fault isn’t always black and white in these scenarios.
“Whenever a compromise or data breach takes place, there’s a tendency to point fingers, but the reality isn’t as clear cut: Security doesn’t have an on/off switch – and its important to layer multiple and different security measures to protect underlying data and resources,” Varonis Vice President of Field Engineering Ken Spinner told SC Media. “AWS provides a number of base level controls such as two-factor authentication and VPC (Virtual Private Clouds) to help protect accounts, monitor systems and prevent data exfiltration, but it’s not a silver bullet.”
Spinner said that if credentials are leaked it is nearly impossible for AWS to determine if the use they are being put to is legitimate adding that it’s ultimately up to the user to ensure their information remains safe. Given the value of the servers both for the information they contain and for their computing power, it was only a matter of time before the cybercriminals attempted to compromise them.
“Accounts that provide access to cloud resources are a very lucrative asset for coin miners, as the criminals can mine coins at the expense of the account’s owner,” Giovanni Vigna, director of the Center for Cybersecurity at UC Santa Barbara told SC Media. “Kubernetes allows for “Dockerized” instances to be deployed and run at scale, providing the perfect environment to perform large scale coin mining.
Source/More: Tesla’s AWS servers hijacked by cryptominers