It is 2018 and the easiest way to make quick money at someones else’s expense is mining cryptocurrency. This time, however, researchers have found new victim of cryptojacking, Tesla.
Researchers discovered that some of Tesla's Amazon Web Services cloud infrastructure was running mining malware in a far-reaching and well-hidden cryptojacking campaign. The researchers disclosed the infection to Tesla last month, and the company quickly moved to decontaminate and lock down its cloud platform within a day. The carmaker's initial investigation indicates that data exposure was minimal.
Red Lock discovered the intrusion while scanning the public internet for misconfigured and unsecured cloud servers, a practice that more and more defenders depend on as exposures from database misconfigurations skyrocket.
"We got alerted that this is an open server and when we investigated it further that’s when we saw that it was actually running a Kubernetes, which was doing cryptomining," says Gaurav Kumar, chief technology officer of Red Lock. "And then we found that, oh, it actually belongs to Tesla.
The attackers had apparently discovered that this particular Kubernetes console—an administrative portal for cloud application management—wasn't password protected and could therefore be accessed by anyone.
From there they would have found, that one of the console's "pods," or storage containers, included login credentials for a broader Tesla Amazon Web Services cloud environment. This allowed them to burrow deeper, deploying scripts to establish their cryptojacking operation, which was built on the popular Stratum bitcoin mining protocol.
Researchers say it's difficult to gauge exactly how much mining the attackers accomplished before being discovered. But they note that enterprise networks, and particularly public cloud platforms, are increasingly popular targets for cryptojackers, because they offer a huge amount of processing power in an environment where attackers can mine under the radar since CPU and electricity use is already expected to be relatively high. By riding on a corporate account as large as Tesla's, the attackers could have mined indefinitely without a noticeable impact.
A Tesla spokesperson said in a statement that the risk was minimal: “We addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”
Red Lock's Kumar notes that the Tesla attackers were running their own mining server, making it less likely that it would land on malware-scanner black lists. The mining malware also communicated with the attacker's server on an unusual IP port, making it less likely that a port scanner would detect it as malicious. And the obfuscation techniques didn't stop there.
The attack communications all happened over SSL web encryption to hide their content from security-monitoring tools, and the mining server also used a proxy server as an intermediary to mask it and make it less traceable.