Electric car maker Tesla’s cloud service was hacked to mine cryptocurrencies worth more than $1 billion dollars, according to news reports.
RedLock, a cloud security intelligence firm, revealed that Tesla’s Amazon Web Services software container Kubernetes was hacked easily — because it did not even have a password!
RedLock exposed a hack of other firms last October for Bitcoin mining worth more than $200 million. After the rise in Bitcoin valuation at the end of 2017, that would also be worth more than $1 billion dollars now.
Neither of those companies, Aviva and Gemalta, had their sites password protected at the time of the hacks. Tesla didn’t seem to learn from those mistakes.
The lack of password might have made the initial hack easy, but the hackers were sophisticated enough to not use an already known mining pool.
Instead, they inserted their own mining pool software that then connected the script to a dead end, preventing the discovery of the identity of the hackers or any recovery of cryptocurrency.
The hackers also kept their CPU usage low to prevent being spotted. Essentially, they hid in plain sight, placing the mining pool’s IP address behind content delivery network Cloudflare.
RedLock reported that the software used on the most recent hack was more sophisticated, however.
The previous hacks showed that hackers were systematically targeting large cloud operations and avoiding detection by law enforcement.
Since then, a number of other cryptojacking incidents have been uncovered and there are notable differences in the attacks.
In cases involving the WannaMine malware, a tool called Mimikatz was used to pull credentials from a computer’s memory to infect other computers on the network. The malware then uses the infected computers’ compute to mine Monero quietly in the background.
The use of Mimikatz ensures that the malware does not have to rely on the EternalBlue exploit and enables it to evade detection on fully patched systems.
Tesla made crypto news last year when a Tesla car owner reported that he had been mining Bitcoin and other cryptocurrencies with the car’s supercharger by placing a mining rig in his trunk.
Bug bounty
A Tesla spokesperson said there is “no indication” the breach impacted customer privacy or compromised the security of its vehicles.
“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it,” the spokesperson said.
“The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”
According to RedLock, mining cryptocurrency is likely a more valuable use of Tesla’s servers than the data it stores.
“The recent rise of cryptocurrencies is making it far more lucrative for cybercriminals to steal organizations’ computing power rather than their data,” RedLock CTO Gaurav Kumar said.
“In particular, organizations’ public cloud environments are ideal targets due to the lack of effective cloud threat defense programs. In the past few months alone, we have uncovered a number of crypto jacking incidents including the one affecting Tesla.”
RedLock’s blog post describing the hack, titled, “Lessons from the Cryptojacking Attack at Tesla,” ends with suggestions to companies to prevent similar cryptojacking incidents in the future, namely monitoring configurations, network traffic, and suspicious user behavior.
Not to mention using a password.
