Tesla falls victim to cryptomining scheme, minor breach
Tesla appears to be the latest prominent victim of a malicious cryptomining scheme.
Cloud security company RedLock reported on Tuesday that hackers found exposed elements of the electric car company’s cloud environment, giving them access to both sensitive company data and computing power that they used to mine cryptocurrency.
According to RedLock, the hackers infiltrated an unprotected Kubernetes console, a tool used to automate the way a user deploys containerized apps. The hackers performed the cryptomining from within the Kubernetes console, employing what the RedLock describes as “sophisticated evasion techniques” that made their activity difficult to detect compared to other cryptomining.
Unlike with other cryptomining ploys, RedLock says, the hackers didn’t use well-known mining software, such as Coinhive. Rather, they took other code and tweaked the script to connect to an unlisted endpoint. RedLock says this made it difficult for standard threat intelligence indicators to detect the activity. The hackers also used CloudFare to obfuscate the true IP address behind their cryptomining server.
In addition to using the Kubernetes console to mine cryptocurrency, the hackers found exposed credentials to an Amazon Web Services S3 bucket belonging to Tesla. RedLock says the server contained sensitive data, such as telemetry.
In an emailed statement, a Tesla spokesperson said the impact “seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.” The spokesperson also said that the company resolved the issue “within hours” of being notified, and encourages this type of research through its bug bounty program.
The spokesperson did not say whether RedLock used the bug bounty program to notify Tesla.
RedLock CTO Gaurav Kumar told CyberScoop in an email that RedLock discovered the unusual activity on January 30 and notified Tesla immediately. He added that there is no way to tell for how long the cryptojacking was operating.
In a press release, Kumar urged clients of cloud service providers (such as Tesla, using AWS) to do more to monitor their network infrastructure for threats and suspicious activity.
“In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence,” Kumar said. “[S]ecurity is a shared responsibility: Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.”