Tesla drives cryptojack gang's AWS cloud down Kubernetes avenue

A Tesla-owned AWS account was hacked to mine Monero. Who knows when; who knows for how long. Shocking.

The hackers drove straight in using an “unsecured” Kubernetes admin console (i.e., it had no password). They ran the WannaMine fileless APT on auto-pilot—and might also have stolen some sensitive data from Tesla drivers.

It’s an electrifying story. In this week’s Security Blogwatch, we’re charged with plugging in the route of the tale, and bringing you up to speed.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Fergie improved 

State of Security Operations 2018

Driving you crazy yet?

What’s the craic? A fortunate Robert Hackett reports Tesla Hackers Hijacked Amazon Cloud Account to Mine Cryptocurrency:

An unidentified hacker or hackers broke into a Tesla-owned Amazon cloud account and used it to “mine” cryptocurrency. … A 3-year-old cybersecurity startup, said they discovered the intrusion last month.

[It] is the latest in a string of so-called cryptojacking attacks, which involve thieves hijacking unsuspecting victims’ computers to generate virtual currencies like Bitcoin. … Researchers said they found Tesla’s credentials on an unsecured … Kubernetes console.

The hackers quietly commandeered the console and ran scripts letting them mine digital coins on Tesla’s dime. [They] employed cryptocurrency mining software called Stratum. … To lay low, they appeared to intentionally reduce the CPU usage … and to mask their Internet addresses behind … CloudFlare

The scheme potentially exposed an … S3 bucket holding Tesla telemetry, mapping, and vehicle servicing data.

Oh dear. The story leaves Devin Coldewey cold, in a way: [You’re fired—Ed.]

The strange new breed of malicious cryptocurrency miners spares no one: — Tesla is the latest to be struck by this trendy form of hackery.

It’s only the latest example of several detected by cloud security outfit RedLock, which has tracked a series of Kubernetes admin consoles wide open to anyone. … If RedLock could find them, so could hackers [who] managed to quietly mine using Tesla’s AWS pod for… well, it’s anybody’s guess how long.

Obviously, the solution here is to have literally any kind of security.

What does this Redlock gang have to say for itself? Lessons from the Cryptojacking Attack at Tesla:

[In] cryptojacking incidents … involving the WannaMine malware, a tool called Mimikatz is used to pull credentials from a computer’s memory to infect other computers on the network. The malware then uses the infected computers … to mine a cryptocurrency called Monero.

Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. … In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.

The skyrocketing value of cryptocurrencies is prompting hackers to shift their focus from stealing data to stealing compute power.

Ain’t that the truth? Cory Doctorow calls it an Epidemic of cryptojacking:

Enter the cryptocurrency bubble: turning malware into money has always been tough. … But cryptojacking cuts out the middleman. … As long as cryptocurrencies continue to inflate, this is a great racket.

Wannamine is a cryptojacker that uses Eternalblue … the same leaked NSA superweapon that powered last year's Wannacry ransomware epidemic. … Discovering the subtle bugs the NSA weaponized is sophisticated work; … but using these bugs is something that real dum-dums can do, as was evidenced by the hamfisted Wannacry epidemic.

Ah yes, the Shadow Brokers’ gift that keeps on giving. As Tim Cushing quips from the ETERNALDAMAGE dept:

Thanks to the NSA, you may be involved in mining cryptocurrency, but you're likely not seeing any of the benefits. … The good news is you won't have to cough up a ransom to retake control of your computer.

This is the path the NSA's malware has taken [us]. This won't be the last we'll see of malicious software built on NSA hacking tools. It will serve as a continual reminder of the government's untrustworthiness when it comes to secure computing.

Is it time for a colorful analogy, captain? Here’s Rosie-Redstar:

The NSA is responsible for (excuse my likely poor metaphor here) the technological equivalent of attempting a controlled demolition of a couple buildings and leveling most of the town as collateral damage.

And, donning her tinfoil hat, it’s Kathy Padilla:

Or they could have set up the release to use and fund off the books operations - ala Air America.

I didn’t say that out loud, did I?

But surely this is just a harmless nuisance, not some sort of disruptive threat? Ryan McCombs, Jason Barnes, Karan Sood and Ian Barton explore the question:

Naturally, where there are profits to be had, crime is not far behind. … While mining itself is legal, fraudulently compromising systems to do the work is not.

While cryptocurrency mining has typically been viewed as a nuisance, [we’ve] recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days or weeks at a time. … Its fileless nature and use of legitimate system software such as WMI and PowerShell make it difficult, if not impossible, for organizations to block.

WannaMine, first reported by PandaSecurity … leverages advanced tactics and techniques to maintain persistence within a network and move laterally. … The attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors.

Arguably, Amazon is partly to blame. At least, this Anonymous Coward thinks so:

If Amazon AWS has taught us anything, it's that Amazon don't give 2 ****s what their servers do so long as nobody is suing them to stop it.

Still, it’s a good job Tesla has a bug bounty, amirite? There’s a bit more to it than that, says omarforgotpwd:

Your bug bounty needs to be larger than the profits from simply exploiting the vulnerability and mining on your hardware without your permission.


The moral of the story? Watch out for uncharacteristic jumps in CPU usage. Oh, and an admin-console password might come in handy.

And finally …

How to improve Fergie’s NBA National Anthem

 

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Space Exploration Technologies Corp. (cc0)

State of Security Operations 2018
Topics: Security