Lessons from the Cryptojacking Attack at Tesla

The Cryptojacking Epidemic

A few months ago, the RedLock Cloud Security Intelligence (CSI) team found hundreds of Kubernetes administration consoles accessible over the internet without any password protection.

A couple of the instances belonged to Aviva, a British multinational insurance company, and Gemalto, the world’s largest manufacturer of SIM cards. Within these consoles, access credentials to these organizations’ Amazon Web Services (AWS) and Microsoft Azure environments were exposed. Upon further investigation, the team determined that hackers had secretly infiltrated these organizations’ public cloud environments and were using the compute instances to mine cryptocurrencies (refer to Cloud Security Trends – October 2017 report).

Since then, a number of other cryptojacking incidents have been uncovered and there are notable differences in the attacks. In cases involving the WannaMine malware, a tool called Mimikatz is used to pull credentials from a computer’s memory to infect other computers on the network. The malware then uses the infected computers’ compute to mine a cryptocurrency called Monero quietly in the background. The use of Mimikatz ensures that the malware does not have to rely on the EternalBlue exploit and enables it to evade detection on fully patched systems.

Nikola Tesla, best known for his contributions to the design of the modern alternating current (AC) electricity supply system, aptly suggested: everything evolves over a period of time. Essentially, we are beginning to witness the evolution of crytopjacking as hackers recognize the massive upside of these attacks and begin to explore new variations to evade detection.

“It is paradoxical, yet true, to say, that the more we know, the more ignorant we become in the absolute sense, for it is only through enlightenment that we become conscious of our limitations. Precisely one of the most gratifying results of intellectual evolution is the continuous opening up of new and greater prospects.”~ Nikola Tesla

The Latest Victim: Tesla

New research from the RedLock CSI team revealed that the latest victim of cryptojacking is Tesla. While the attack was similar to the ones at Aviva and Gemalto, there were some notable differences. The hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.

Figure 1: Exposed credentials to Tesla’s AWS environment

In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods. The team noted some sophisticated evasion measures that were employed in this attack.

• Unlike other crypto mining incidents, the hackers did not use a well known public “mining pool” in this attack. Instead, they installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint. This makes it difficult for standard IP/domain based threat intelligence feeds to detect the malicious activity.
• The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging.
• Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic.
• Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.

The RedLock CSI team immediately reported the incident to Tesla and the issue was quickly rectified.

Figure 2: Crypto mining script running in Tesla’s Kubernetes pod

Preventing Such Compromises

The skyrocketing value of cryptocurrencies is prompting hackers to shift their focus from stealing data to stealing compute power in organizations’ public cloud environments. The nefarious network activity is going completely unnoticed. Here are a few things that can help organizations detect suspicious activities such as crypto mining across fragmented cloud environments:

• Monitor Configurations: With DevOps teams delivering applications and services to production without any security oversight, organizations should monitor for risky configurations. This involves deploying tools that can automatically discover resources as soon as they are created, determining the applications running on the resource, and applying appropriate policies based on the resource or application type. Configuration monitoring could have helped Tesla immediately identify that there was an unprotected Kubernetes console exposing their environment.
• Monitor Network Traffic: By monitoring network traffic and correlating it with configuration data, Tesla could have detected suspicious network traffic being generated by the compromised Kubernetes pod.

Figure 3: RedLock platform illustrating bitcoin mining traffic detection

Monitor for Suspicious User Behavior: It is not uncommon to find access credentials to public cloud environments exposed on the internet, as was the case in the Uber breach. Organizations need a way to detect account compromises. This requires baselining normal user activities and detecting anomalous behavior that goes beyond just identifying geo-location or time-based anomalies, but also identifying event-based anomalies; see figure 4 below for an example of anomalous user activity detected using the RedLock Cloud 360 platform. In this case, it is possible that Tesla’s AWS access credentials that were leaked from the unprotected Kubernetes pod were subsequently used to perform other nefarious activities.

Figure 4: RedLock platform illustrating anomalous user activity detection

Learn More About Preventing Cryptojacking

You’re invited to join RedLock’s live webinar on March 29th at 10 AM PT/ 1 PM ET.

We’ll be discussing emerging cloud security threats, the Tesla cryptojacking incident, and cloud threat defense tips to protect your public cloud environment.