Hackers have been running crypto mining scripts on unsecured Kubernetes instances owned by Tesla, according to new research from security monitoring provider RedLock.
According to the study, which analysed public cloud environments monitored by RedLock – more than 12 million resources processing petabytes of network traffic – the unsecured Kubernetes pod exposed access credentials to Tesla’s Amazon Web Services (AWS) environment. From there, the environment contained an AWS S3 bucket which held sensitive data, such as telemetry.
While the issue was quickly closed off – it was immediately reported to Tesla by RedLock and rectified before it became public – the more interesting use case is around cryptojacking, whereby unused CPU resources on unwitting users’ machines are targeted to help mine cryptocurrencies.
A blog post from the company explained how the operation was carried out. The hackers, instead of using a ‘mining pool’ – where processing power is shared over a network to split the reward equally dependent on how much work was put in – installed mining pool software which was then configured to an unlisted endpoint. The real IP address was also hidden behind CloudFlare, while the hackers had ‘most likely’ purposely configured the mining software to keep CPU usage low.
All told, the measures meant IP address-based detection of the crypto mining activity was far more difficult. RedLock added that monitoring configurations, user behaviour and network traffic, and correlating the latter with configuration data, could help in tracking similar issues.
While there are some examples of crypto mining which are transparent – US news website Salon asking visitors to go through with the process if they have an ad blocker installed being a case in point – many are much more sinister. “The skyrocketing value of cryptocurrencies is prompting hackers to shift their focus from stealing data to stealing compute power in organisations’ public cloud environments,” the RedLock blog explained. “The nefarious network activity is going completely unnoticed.”
Cloud security best practices
On a wider theme, however, the report once again assesses the importance of the shared responsibility model in cloud computing. Almost three quarters (73%) of organisations analysed use their public cloud root user account to perform activities.
This creates a serious issue with data getting into the wrong hands; and indeed, AWS strongly advises such activity. Think of the AWS account key as like a credit card number and protect it as such, the company says in its best practice guide. As this publication has reported on several occasions, a provider such as AWS has security ‘of’ the cloud – data centre, hypervisor, routers and so on – while the organisation is responsible for security ‘in’ the cloud.
A couple of stories which have broken in the past week shed light on this. Last week, the BBC reported on a service called Buckhacker, which allowed users to trawl S3 buckets for unsecured sensitive data, while yesterday another story found security researchers had posted ‘friendly warnings’ to companies whose private content had been made public.
At the time of the Buckhacker release, Mark Hickman, chief operating officer at WinMagic, said organisations ‘must fulfil their part of the shared responsibility deal’ with regards to cloud security. “Customers should encrypt all data before it is placed in the cloud,” he said. “It is the last line of defence if a hacker gains access to their cloud services.
“Equally important is that encryption is employed where the keys are centrally managed and remain under the customer’s constant control, and the keys never stored on a public cloud service, or servers that could be exposed to a hack,” Hickman added.
The RedLock report shows this is less than common practice – and it is a concern shared by the company.
“In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility,” said Gaurav Kumar, CTO of RedLock.
“Organisations of every stripe are fundamentally obliged to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic, and host vulnerabilities,” Kumar added. “Without that, anything the providers do will never be enough.”
You can read the full RedLock report here (email required).