Researchers at RedLock, a cloud monitoring and defense firm, have published a report stating Tesla’s Amazon Web Service cloud platform has been compromised by hackers “cryptojacking”. While hackers of the past may have stealthily accessed and stole private information, with cryptojacking, the only thing being hijacked is computing power.
Hackers act with out permission and use computing power for cryptocurrency mining which is routed to the thieve’s wallets. Targets may range anywhere from individual home PCs, small businesses, huge institutions, schools, and even industrial control systems. Cryptojacking starting making its emergence sometime in mid 2017 and there already has been several cases of it being use against large companies (ie: Aviva, Gemalto).
RedLock’s findings stated while doing routine scans across the internet for unsecured cloud servers, they discovered Tesla’s AWS cloud infrastructure was running mining malware. Tesla’s AWS cloud server showed to run a non-password protected Kubernetes (an administrative portal for cloud application services management). Once the Kubernete’s console was infiltrated, hackers were able to dig deeper and find a pod that contained access credentials to Tesla’s AWS environment. From there, hackers not only accessed private data, they also installed mining software which used some of Tesla’s massive computing power to mine cryptocurrencies.
The RedLock team listed a few ways hackers were able to remain undetected while the compromise occurred:
- Unlike other crypto mining incidents, the hackers did not use a well known public “mining pool” in this attack. Instead, they installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint. This makes it difficult for standard IP/domain based threat intelligence feeds to detect the malicious activity.
- The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging.
- Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic.
- Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.
Once the compromise and discovery of mining malware was discovered by RedLock, Tesla was informed and addressed by Tesla within hours. Tesla states no customer data has been stolen and the damage of the hack seemed to be limited to Tesla’s engineering test vehicles.
All though the total amount hackers earned from their illicit and very illegal mining scheme is unknown, it is reported that Tesla’s Bug Bounty program awarded the researchers at RedLock $3,1337 (1337 is leet aka elite in internet lingo) for discovering the hack.