New research from cloud security vendor RedLock shows threat actors gained access to enterprises' cloud servers...
and used them for cryptojacking.
RedLock said it discovered last year "hundreds of Kubernetes administration consoles accessible over the internet without any password protection." The vendor's Cloud Security Intelligence (CSI) team investigated the exposed consoles and found that some contained login credentials to enterprises' Amazon Web Services and Microsoft Azure cloud environments.
"Upon further investigation," RedLock wrote in a blog post, "the team determined that hackers had secretly infiltrated these organizations' public cloud environments and were using the compute instances to mine cryptocurrencies."
Infected enterprises include SIM card maker Gemalto, insurance provider Aviva and electric car maker Tesla. RedLock provided details on Tesla's incident, which the CIS team said is somewhat different than the other cryptojacking attacks that hit Gemalto and Aviva.
Like other organizations' Kubernetes consoles, Tesla's was not password protected. Threat actors accessed one Kubernetes pod that held credentials for Tesla's AWS environment, which included an Amazon S3 (Simple Storage Service) bucket with sensitive data.
But RedLock researchers said the cryptojacking threat actors took additional steps to evade detection once they accessed Tesla's AWS servers. Specifically, the attackers set up a private cryptomining pool, rather than use a public one, which RedLock said makes the malicious activity harder to find through IP/domain based detection.
In addition, the attackers hid the IP address for the cryptomining pool behind CloudFlare's content delivery network and configured the mining software to listen on a non-standard port, which RedLock said made detection even more challenging. Finally, the CSI team noted that Tesla's Kunernetes console showed the cloud servers' CPU usage "was not very high," indicating the threat actors intentionally kept usage low so as to not raise suspicion.
RedLock said the attacks show that crypotjacking is becoming increasingly popular among cybercriminals. "The skyrocketing value of cryptocurrencies is prompting hackers to shift their focus from stealing data to stealing compute power in organizations' public cloud environments," the vendor wrote. "The nefarious network activity is going completely unnoticed.
RedLock said it reported its finding to Tesla and that the car maker rectified the issue. It's unclear if Tesla's S3 bucket data was exfiltrated from the cloud servers, though a Tesla spokesperson told SearchSecurity that it does not believe customer data was affected in the breach.
"We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it," a Tesla spokesperson told SearchSecurity. "The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way."