Hackers recently compromised an Amazon Web Service (AWS) account owned by Tesla, the Elon Musk-owned automotive and energy company. The hack exposed sensitive data, including telemetry, mapping and vehicle service data. Hackers also took advantage of the open server to run cryptocurrency-mining malware.
How did it happen?
Misconfigured and unsecured servers are not unusual — there have been many instances where data was exposed on a server that an organization had no idea was accessible. In this instance, the discovery was made by security firm RedLock. In their report, they pointed to an unsecured console for Kubernetes, which is an open-source application used to manage cloud-based resources and tools. RedLock added that “the hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.”
The hackers then accessed Tesla’s AWS server and deployed their cryptojacking operation, which is based on the Stratum bitcoin mining protocol. There is no information on how long the operation ran, or how much currency was mined. According to the security report, the hackers used certain tactics to evade detection and stealthily continue operations — from hiding their malware behind an IP address hosted by CloudFlare to dialing down the CPU resources used to mine.
As soon as they identified the problem, RedLock researchers reported their findings through Tesla’s bug bounty program and received an award of over US$3,000. In response to the discovery Tesla representatives said that they addressed the vulnerability within hours of the reporting, and the information compromised only involved internally-used engineering test cars. Apparently, their initial investigation did not find customer privacy or vehicle security compromised.
Cryptojacking servers is a rising concern
This incident comes only a few days after news of JenkinsMiner, a hybrid remote access trojan and XMRig miner that exploited the known vulnerability CVE-2017-1000353, reportedly started targeting vulnerable Jenkins servers. (The vulnerability in question was actually already disclosed and patched in April 2017 by Jenkins.)
This miner reportedly already made around US$3 million in Monero from exploited Windows machines; however, the hackers shifted focus to the more powerful Jenkins servers. Holding an estimated 1 million users, the Jenkins Continuous Integration is an open-source automation server and popular DevOps and CI orchestration tool.
As more cryptojackers are targeting servers, organizations have to take the proper precautions. A company has to create a fortified environment to secure their data and guard their resources. Some guidelines to follow would be:
Implement more stringent management of server credentials and maintain full visibility over third-party applications that contain these credentials
Utilize all privacy features and configure servers securely, especially those containing sensitive data
Implement access policies and ensure proper encryption to fit the needs of both the organization and their customers
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit vulnerabilities even without an engine or pattern update.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).