The Tesla cloud environment has fallen victim to a cryptocurrency mining malware attack, according to cybersecurity software company RedLock. On Tuesday, its Cloud Security Intelligence (CSI) team notified Tesla that hackers had exploited an insecure Kubernetes console (it was not protected by a password), which was then used to infiltrate its AWS cloud environment and siphon computer processing power to mine cryptocurrencies. Its cloud contained an Amazon S3 bucket, which stored sensitive data such as telemetry.
A Tesla spokesperson told Gizmodo that there was “no indication” that the incident had compromised customer information or affected the security of its vehicles. “We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it,” the spokesperson said. They added, “The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”
The hackers installed mining pool software into Tesla’s cloud – this is unlike in other cryptomining incidents that RedLock has observed, in which a well-known public mining pool has been used. The malicious script was also configured to an “unlisted” or semi-public endpoint, which makes it challenging for standard IP/domain based threat intelligence feeds to identify the malicious activity. Furthermore, the hackers hid the genuine IP address of the mining pool server behind Cloudflare’s free CDN service, and ensured they kept CPU usage low during the hack, making detection more difficult. Furthermore, the mining software was configured to listen on a non-standard port. This makes it difficult to spot the malicious activity based on port traffic.
RedLock’s CTO Gaurav Kumar said that public cloud environments were especially vulnerable to mining hacks “due to the lack of effective cloud threat programs”. On Tuesday, the RedLock CSI team published a report on the cryptojacking of Tesla, and what it described as the wider “cryptojacking epidemic”. It described other instances of cryptojacking at Aviva, a British multinational insurance company and Gemalto, the largest manufacturer of SIM cards in the world. Cryptojacking is rapidly evolving as hackers realize the potential upside in these attacks as the value of cryptocurrencies continues to exponentially rise.
RedLock noted several actions organizations can take to help them detect suspicious activities such as cryptomining in cloud environments:
- Monitor configurations and use tools that automatically discover resources as they are created, working out the applications running on the resource, and then applying the right policies based on the resource or application type.
- Monitor network traffic – if Tesla had been monitoring its network traffic and correlating it with configuration data, the company could have noticed the suspicious activity taking place within the compromised Kubernetes console.
- Monitor for suspicious user behaviour – organizations need to watch for anomalous behaviour, which focuses on identifying event-based anomalies in addition to geo-location or time-based anomalies.