The incident was revealed by security firm RedLock this week. They discovered hackers had infiltrated a Kubernetes installation on one of Tesla’s Amazon Web Services (AWS) accounts. Kubernetes is an open-source software system used to manage clustered application instances in cloud-based containers.
The attackers gained access to the server because Tesla hadn’t set a password on its Kubernetes administration console. One of the Kubernetes pods – a group of application containers – stored sensitive credentials that could be used to access other areas of Tesla’s Amazon Web Services cloud infrastructure.
It seems as though the attackers weren’t intending to steal Tesla secrets. Instead, they installed cryptocurrency mining software and then used Tesla’s cloud resources to generate revenue. The mining configuration was specially altered to disguise its existence, making it unlikely Tesla engineers would notice the additional network traffic. Steps had also been taken to restrict the miner’s CPU usage, further lowering the risk of detection.
READ NEXT: “Glitch” let customer purchase $2 trillion in Bitcoin for free
The attackers appeared to be using the infiltrated Kubernetes pod as the basis of a long-term mining operation. The activity is similar to several other cases of cryptojacking observed over the past few months. In each case, the perpetrators unsecured Kubernetes admin consoles to gain access to cloud infrastructure at major companies. SIM card manufacturer Gemalto and UK insurer Aviva are amongst the other victims identified by RedLock.
The simplest way for enterprises to protect themselves is to ensure their cloud services are properly secured. An unsecured admin console could provide attackers with a wealth of opportunities and go unnoticed for months. RedLock said firms should also proactively monitor the network traffic to their cloud services. Tesla could have spotted the activity through the unusual port assigned to the miner.
“With DevOps teams delivering applications and services to production without any security oversight, organizations should monitor for risky configurations,” said RedLock. “Configuration monitoring could have helped Tesla immediately identify that there was an unprotected Kubernetes console exposing their environment.”
RedLock notified Tesla of its findings “immediately” after it discovered the exposed admin interface. Tesla responded within hours of receiving the alert. It has now secured the Kubernetes instance and removed the mining software. The company told CNBC there was no risk to its customers or vehicles as the server was only used by internal engineering teams.
