The hijacking of Tesla's Amazon Web Server cloud system by rogue cryptominers is proof that no one is immune to a misconfigured AWS server nor cryptomining attacks.
RedLock researchers discovered an unprotected Kubernetes console, belonging to Tesla, that exposed access credentials to Tesla's Amazon Web Services environment.
“Essentially, hackers were running crypto mining scripts on Tesla's unsecured Kubernetes instances,” researchers said in their February 2018 Cloud Security Trends report. “To conceal their identity, the scripts were connecting to servers that reside behind CloudFlare, a content delivery network.”
The AWS system also contained valuable information such as vehicle telemetry and the nefarious network activity went unnoticed by Tesla due to techniques threat actors used to conceal their activities, the researchers said.
Threat actors made it difficult for domain and IP-based threat detection systems to spot their activities by hiding the true IP address of the mining pool to keep CPU usage low and prevent a level of suspicious traffic which would brought attention to the cryptominers.
The prevalence of unsecured AWS servers and cryptomining attacks suggested it was only a matter of time before the two were exploited to carry out an attack. Despite the inevitability of the attack, researchers argue both Amazon and Tesla both share responsibility for the attack although some say Amazon could do more to prevent these attacks that have become so frequent.
“Even with this model, I think that AWS could play a bigger role by offering their services like Guard Duty for free for customers so they can take advantage of AWS's visibility to their platform,” David Cook, CISO of Databricks told SC Media. “Things like rogue services like bitcoin miners can be identified quickly.”
Even if these were offered, Cook said customers still must follow best practices such as change management, key management, regular services scans, monitoring, and scanning. Some researchers believe that fault isn't always black and white in these scenarios.
“Whenever a compromise or data breach takes place, there's a tendency to point fingers, but the reality isn't as clear cut: Security doesn't have an on/off switch - and its important to layer multiple and different security measures to protect underlying data and resources,” Varonis Vice President of Field Engineering Ken Spinner told SC Media. “AWS provides a number of base level controls such as two-factor authentication and VPC (Virtual Private Clouds) to help protect accounts, monitor systems and prevent data exfiltration, but it's not a silver bullet.”
Spinner said that if credentials are leaked it is nearly impossible for AWS to determine if the use they are being put to is legitimate adding that it's ultimately up to the user to ensure their information remains safe. Given the value of the servers both for the information they contain and for their computing power, it was only a matter of time before the cyber-criminals attempted to compromise them.
“Accounts that provide access to cloud resources are a very lucrative asset for coin miners, as the criminals can mine coins at the expense of the account's owner,” Giovanni Vigna, director of the Center for Cybersecurity at UC Santa Barbara told SC Media. “Kubernetes allows for “Dockerised” instances to be deployed and run at scale, providing the perfect environment to perform large scale coin mining.
Vigna added that in this case, access controls mechanisms should be particularly well designed, as access might result in thousands of dollars in cloud-time bills.
Experts agree on the AWS client's responsibility to secure their data and follow best practices. Prevoty Chief Technology Officer Kunal Anand told SC Media Amazon already does a lot of work when it comes to allowing organizations to see permissions and policies related to its services.
“Unfortunately, application and data security is an afterthought for organizations that are allowing their teams to move quickly via DevOps,” Anand said. “I believe that the primary reason why this keeps happening is the disconnect between security and DevOps teams.”
Anand added that the disconnect results in lack of policies and procedures when it comes to provisioning and architecting services and that software developers are having to think about network design/topology who lack and understanding of 20+ years of best practices.
To bridge the gap Anand said they hope to see more organisations implement a combination of automated reports and weekly touch points between stakeholders to talk about security.
Sadly until further action is taken, exposed AWS servers will continue to put both consumer data and client computing power at risk. Exposed AWS servers also left the information of thousands of Fed-Ex customers exposed.
In an email to SC Media UK,Tim Erlin, vice president of product management and strategy at Tripwire, commented: "Mining cryptocurrency requires resources, and there's no reason that criminals wouldn't look for the same advantages from the cloud as other organisations.
"Why make the effort of getting a human being to pay a ransom when you can use their resources to generate your own?
"We've seen numerous incidents with insecure configurations at their root. Organisations with cloud infrastructure must establish baselines for secure configurations and monitor them for changes."