Hackers infiltrated electric car giant’s cloud environment

Following last week’s discovery that more than 4,000 websites had been subject to a large-scale cryptojacking campaign, researchers have revealed that Tesla’s cloud environment was recently exploited to mine for cryptocurrency.

A new report from the RedLock Cloud Security Intelligence team details how hackers infiltrated the electric vehicle specialist’s Kubernetes console, which was not password protected.

“Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 bucket that had sensitive data such as telemetry,” RedLock said.

“In addition to the data exposure, hackers were performing crypto-mining from within one of Tesla’s Kubernetes pods.”

Upon spotting the flaw, the researchers immediately reported the incident to Tesla and the issue was quickly rectified.

RedLock’s postmortem of the Tesla cryptojacking campaign comes less than a year after the US-based cloud security group found hundreds of Kubernetes admin consoles accessible over the internet without any password protection.

However, unlike the other campaigns exposed by RedLock, the team noted that “some sophisticated evasion measures” were employed in the attack against the electric car manufacturer.

“Unlike other crypto-mining incidents, the hackers did not use a well-known public ‘mining pool’ in this attack,” RedLock stated. “Instead, they installed mining pool software and configured the malicious script to connect to an ‘unlisted’ or semi-public endpoint.

“This makes it difficult for standard IP/domain based threat intelligence feeds to detect the malicious activity.”

In addition, the researchers found that the hackers also masked the true IP address of the mining pool behind CloudFlare, while the mining software itself was configured to listen on a non-standard port, making it harder still to detect malicious activity.

RedLock’s report follow’s last week’s announcement that thousands of websites – including those of numerous government and public sector organizations – had been subject to a large-scale cryptojacking campaign.

The affected sites, which included the UK’s Information Commissioner’s Office, the General Medical Council, and United States Courts, were loading compromised third-party script that covertly turned users’ devices into Monero miners.