Tesla intruders infiltrated Amazon cloud account to mine cryptocurrency

21 Feb 2018

Tesla showroom in London. Image: Hadrian/Shutterstock

Hackers find their way through cracks in Tesla’s cloud environment.

RedLock security researchers have found that an anonymous hacker (or hackers) broke into an Amazon account owned by Tesla to mine cryptocurrency.

According to a report issued by RedLock on 20 February, the miners were able to access Tesla’s Amazon Web Services (AWS) environment via an unprotected Kubernetes console. Kubernetes is an open source platform used to automate, scale and manage containerised applications, and the Tesla console contained access credentials to the company’s AWS.

Cryptocurrency mining by stealth

Attackers not only gained unauthorised access to private Tesla data, but also used compute resources within the company’s AWS environment to carry out cryptojacking, the stealthy mining of cryptocurrency without the company’s knowledge.

The hackers used specific techniques to evade detection, according to RedLock. They installed mining pool software and configured the malicious script to connect to an ‘unlisted’ endpoint, making it far more difficult for IP and domain-based threat intelligence feeds to detect suspicious activity.

They also hid the true IP address of the mining pool server behind Cloudflare, a free content delivery network service, and intentionally kept CPU usage low to hide from threat detection. By keeping CPU usage at a minimum, hackers can camouflage their activity.

Tesla’s Kubernetes console was not password-protected, and one of the AWS S3 buckets therein contained sensitive data, such as telemetry.

The issue was quickly rectified once Tesla was informed by RedLock researchers.

Cloud security is not just up to providers

The increasing value of cryptocurrencies is seeing more and more hackers shifting focus from stealing data to stealing compute power from public cloud environments. This type of malicious activity can often go completely unnoticed.

CTO of RedLock and head of the cloud security intelligence team, Guarav Kumar, said: “The message from this research is loud and clear: the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities.”

He said that cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 were caused by their negligence. He did note, however, that security should be a “shared responsibility”.

Kumar added: “Organisations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic and host vulnerabilities. Without that, anything the providers do will never be enough.”

Tesla not the only victim

RedLock researchers found that the Tesla thieves were using cryptocurrency mining software called Stratum, but the type and amount of virtual loot mined was not ascertained.

Tesla is not the only organisation that RedLock found with less-than-stellar console security. Insurance firm Aviva and SIM card manufacturer Gemalto were also targeted in similar attacks and both companies’ cloud environments were easily and successfully infiltrated.

Tesla showroom in London. Image: Hadrian/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com