Mega cybersecurity breaches have left the public and companies feeling vulnerable, and, according to a new report by cloud security firm RedLock, Tesla is one of the latest victims to have its public cloud breached by hackers.
The RedLock CSI team found that hackers infiltrated a public cloud environment owned by the electric car company. The hackers used their access to steal computing time for cryptocurrency mining. RedLock said it informed Tesla, and the car company’s security team has already addressed the vulnerabilities, according to a report being released by RedLock today.
The cloud security trends report evaluates serious threats to public cloud environments. It found that account compromises keep rising. Poor user and API access hygiene, combined with ineffective visibility and user activity monitoring, are causing organizations to be more vulnerable to breaches. For example, 73 percent of organizations allow the root user account to be used to perform activities — behavior that goes against security best practices. Sixteen percent of organizations have user accounts that have potentially been compromised.
In many hacks, the goal is to steal data. But now, the thieves also hijack compute resources in order to mine cryptocurrencies (as detailed in Redlock’s October 2017 Cloud Security Trends report). The research reveals that 8 percent of organizations have been hit by cryptocurrency mining hacks, which mostly goes unnoticed because of ineffective network monitoring.
Menlo Park, California-based RedLock also found that many companies are still a long way from compliance with the General Data Policy Regulation (GDPR), a European Union privacy regulation that goes into effect in a few months. Companies are far from where they need to be to effectively govern the cloud and ensure compliance. For instance, the analysis shows that 66 percent of databases are not encrypted.
The report said the Spectre and Meltdown vulnerabilities should serve as a wakeup call for industry to address vulnerability management in the cloud. However, the research demonstrates that 83 percent of vulnerable hosts in the cloud are receiving suspicious traffic, since many organizations can’t leverage standalone on-premise tools to gain such visibility.
During their work, RedLock CSI researchers learned about an intrusion into Tesla’s public cloud environment. In this case the hackers not only gained unauthorized access to non-public Tesla data, but were also stealing compute resources within Tesla’s Amazon Web Services (AWS) environment for cryptojacking. The attack was similar to the ones at Aviva and Gemalto.
The Tesla findings build on research from last year, when the CSI team found that hundreds of Kubernetes administration consoles were accessible over the internet without password protection and were leaking credentials to other critical applications. Cyber thieves gained access to Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment. Those credentials provided unfettered access to non-public Tesla information stored in Amazon Simple Storage Service (S3) buckets.
In addition, the cyber thieves performed cryptojacking using Tesla’s cloud compute resources and employed specific techniques to evade detection. For example, instead of the more familiar public “mining pool,” they installed mining pool software and configured the malicious script to connect to an “unlisted” endpoint. That makes it harder for standard IP/domain-based threat intelligence feeds to detect malicious activity, RedLock said. Other tricks included hiding the true IP address of the mining pool server behind CloudFlare, and likely keeping CPU usage low to further evade detection.
“The message from this research is loud and clear — the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities,” said Gaurav Kumar, chief technology officer of RedLock and head of the CSI team, in a statement. “In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: Organizations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities. Without that, anything the providers do will never be enough.”
We’ve asked Tesla for comment. RedLock uses artificial intelligence to detect threats to cloud services such as Amazon Web Services, Microsoft Azure, and Google Cloud. The company is backed by Sierra Ventures, Storm Ventures, Dell Technologies Capital, and others.