Crypto Hackers Exploited Tesla’s Amazon Cloud Account

Crime, News | February 21, 2018 By:

Electric vehicle maker Tesla is the latest victim of a cryptocurrency mining malware attack, according to researchers at security firm RedLock.

On Tuesday, RedLock released its 2018 Cloud Security Trends report which documents the discovery of an unprotected Kubernetes console belonging to automaker Tesla. Kubernetes console is an open-source application used by large companies to manage API and server infrastructure deployed on cloud hosting providers.

RedLock researchers said the hackers infiltrated Tesla’s Kubernetes console, which was not password-protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment, which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data, such as telemetry. While there’s no evidence hackers stole any data, they did install a mining software that utilized the computer processing power of Tesla’s Kubernetes pod to mine cryptocurrency.

“Unlike other crypto mining incidents, the hackers did not use a well-known public “mining pool” in this attack,” the researchers said. “Instead, they installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint. This makes it difficult for standard IP/domain-based threat intelligence feeds to detect the malicious activity.”

The attackers hid the the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers also configured the mining software to use a non-standard port which makes it hard to detect the malicious activity based on port traffic. They also throttled the mining software to use only a small portion of Tesla’s CPU resources to evade detection.

A Tesla spokesperson confirmed that hackers installed cryptocurrency mining malware onto the company’s cloud platform and test vehicles. But there is “no indication” the breach impacted customer privacy or compromised the security of its vehicles.

“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it,” the spokesperson said. “The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

In an interview with Gizmodo, RedLock CTO Gaurav Kumar said the recent rise of cryptocurrencies is making it far more lucrative for cybercriminals to steal organizations’ computing power rather than their data.

“Organizations’ public cloud environments are ideal targets due to the lack of effective cloud threat defense programs,” Kumar said. “In the past few months alone, we have uncovered a number of cryptojacking incidents including the one affecting Tesla.”