Tesla is one of the biggest names in the auto industry today. That didn’t stop them from misusing their cloud platform, though. Tesla didn’t believe having a password on their Kubernetes administration console was necessary, for some reason. Through this, crypto miners were able to infiltrate their AWS account to mine cryptocurrency using the cloud’s computing power. These cloud crypto attacks are generally known as “cryptojacking.” Cloud security is essential to maintaining the safety of your enterprise’s information, and obviously, that starts with having a password. If cryptojacking is a notable concern, talk to your managed service provider or managed security provider to find out what they can do to help.
If this attack was so simple to execute on a multi-billion-dollar tech company, then it could be just as easy on a smaller enterprise. RedLock, a security company, recently found that hundreds of Kubernetes administration consoles were accessible over the internet without any password protection. These cryptojackers, as RedLock calls them, will go to any length to obtain cryptocurrency. So, what can you do to stay secure from this threat?
Knowing the enemy
The benefits of using the cloud are seemingly endless. It’s more versatile, easier to manage, faster to use, teams can work anywhere, etc. Crypto miners recognize these same benefits. Utilizing the cloud to crypto mine is incredibly efficient. It’s theoretically a lot easier than creating an intricate setup of expensive GPUs, but investing in a cloud platform isn’t always viable.
There are dedicated cloud crypto mining services available online, but these often don’t have enough power or are too expensive for a dedicated crypto miner. If you could create cryptocurrency by simply infiltrating a major corporation like Telsa’s cloud, wouldn’t you? Hackers will go to any extent to get what they need. Ignoring cloud security in favor of a faster release schedule is never worth it.
How the attack happened
The cryptojackers went to extreme lengths to hide their attacks. These hacking professionals know what to do and know how to go unnoticed, especially when the security measures are lacking. RedLock detailed how they performed their attack:
- Unlike other crypto mining incidents, the hackers did not use a well-known public “mining pool” in this attack. Instead, they installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint. This makes it difficult for standard IP/domain based threat intelligence feeds to detect the malicious activity.
- The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging.
- Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic.
- Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.
These attacks can go on for months at a time without anyone noticing. Enterprises are apparently overlooking the importance of monitoring. The biggest flaw in DevOps is the lack of built-in security. Faster development and release schedules are great, but not if you don’t notice (or care about) major vulnerabilities (like having no password).
IT professionals must invest in DevSecOps going forward. DevOps needs security built in going forward. Cloud security needs to be a priority. These platforms don’t necessarily take care of themselves. Network monitoring solutions can help you discover normal user behavior, and it can recognize when someone is using a large amount of computing power to crypto mine. Hackers are coming through the cloud, IoT devices, and any other vulnerability, monitoring is more important than ever.
Container and cloud security
Having less security is never the right call. Sometimes development teams don’t necessarily want security built in as their working, but they need it. Catching vulnerabilities in your build environment is essential to releasing the best product possible. My recent container security article goes into this in detail. Container and cloud security are often overlooked, as following popular IT trends can be overwhelming without the proper care.
Perhaps the simplest takeaway from my recent article was registry security. A lot of IT teams have irrational trust in their colleagues. Trust cannot overshadow core security practices. It’s almost unbelievable that Tesla didn’t have a password on their container administration console. Passwords already lack security, as we recently saw the Hawaii Emergency Management Agency leak a password that was written on a Post-It note. It’s better to have a vulnerable password, or a password written on a note, than having no password at all. Password technology may be changing with biometric authentication, but for now, please stick with a decent password.
- Solutions Review Best of 2018: Top Container Security Articles - December 20, 2018
- Logicworks and AVANT Communications Announce Alliance - December 19, 2018
- A Look at the Container Lifecycle and How to Keep it Secure - December 14, 2018