Hackers Cryptojack Tesla’s Cloud to Mine Monero
According to RedLock, a boutique tech security consultancy, crypto-jacking is set to become one of the biggest security concerns for enterprise computing worldwide. RedLock’s latest research noted a changing security context; one that underpins a changing landscape from data theft to computational power theft. Tesla, a RedLock client, was reportedly a victim of a serious crypto-jacking incident when poor access hygiene resulted in system access credentials becoming vulnerable to external access. What We KnowThe RedLock team, working in partnership with Tesla, has published a new report on the alarming increase in crypto-jacking and how the security landscape is shifting from data theft to computational power theft. The “Crypto-jacking Epidemic”, as RedLock describes the issue, will have far-reaching consequences for enterprise computingRedLock’s Cloud Security Intelligence (CSI) team late last year, “found hundreds of Kubernetes administration consoles accessible over the internet without any password protection,” providing access to Gemlato and Aviva – two multinational companies. The latest company hit by this epidemic is Tesla. The electric vehicle manufacturer, the CSI team noted, was similarly attacked through Kubernetes console with poor access hygiene. The RedLock team found that, internally, Tesla worked with Amazon Web Services (AWS) which also included Amazon S3 (Simple Storage Service) – access to this data allowed the hackers to glean information on the telemetry and other vehicle data metrics from Tesla’s testing fleet. However, accessing this sensitive information wasn’t the overall purpose of the ‘hack’. The real purpose was to undertake crypto mining by using the spare capacity afforded by AWS and Tesla’s computational needs. The evasive measures undertaken by the hackers highlight how sophisticated this new computational threat will become. The hackers did not use ‘mining pools’ in the normal public computing sense. They installed mining pool software and then configured the software to create an “unlisted” semi-public endpoint which made it difficult for IP-threat intelligence software to analyse the malicious threat. The hackers also used CloudFare to ‘hide’ the IP address of the ‘mining pool’ which provided a free content delivery network platform. This IP ‘sleight-of-hand’ makes it difficult for domain/IP tracking to work cohesively when combating this type of cybersecurity threat. The final touch was a sophisticated CPU usage counter-measure that saw the hackers configure the mining software to work at low usage levels to avoid detection. This streamlined usage of computational power could prove to be a fundamental problem in the global enterprise computing environment. Countering the ThreatThe single biggest problem outlined in this case study is the pervasiveness of poor access hygiene. The best weapon available to any organisation is, and remains, good information security hygiene protocols. Sound management of access permissions and the user levels therein can provide organisations with sound structural cyber security foundations. RedLock’s latest security report found that 73 percent of organisations are still allowing root user accounts to perform key computational tasks. As industry advice states, this goes against sector-wide best practice guidelines. Amazon has openly stated that administrators need to lock root-level user access and instead created layered user profiles with access connected to role requirements and computational usage demands. RedLock’s CSI team noted that, in the Tesla experience, hygiene processes around access keys resulted in tardy rotation practices. In some cases, some access keys hadn’t been rotated in over 90 days, around 40% of the systems verified by the team accounted for this high incidence. This is problematic because these keys will have higher-levels of access that can result in system compromise – and would provide a suitable opportunity for hackers to utilise such space for nefarious needs. RedLock’s advises clients to follow a simple four-step procedure to help curb the possibilities of computational theft for the purposes of crypto-jacking. They advise the following:End non-IT specific users access to root accountsOn all privileged user accounts, utilise multi-factor authentication steps to protect key accountsCreate a hygiene policy framework that force rotates access keys – without user bypass/system by-pass facilities. Develop user and access behaviour metrics and monitor to identify deviation – this could help swiftly identify malicious cyber intrusion. Featured image from Shutterstock