An unsecured Kubernetes container management console allowed cyber-attackers to breach a Tesla cloud account that contained sensitive data, including telemetry data from the company’s electric cars, according to a report by security company RedLock.
Details about Tesla cloud account breach where included in RedLock report as an example of the cyber-security threats face enterprises that store sensitive data and run important business applications on cloud services.
RedLock’s Cloud Security Intelligence team found that the Tesla breach resulted from the exposure of Amazon Web Services security credentials after hackers penetrated Tesla’s Kubernetes console, which was not password protected This led to the exposure of the company’s Amazon S3 cloud account, which contained sensitive data including the Tesla vehicle telemetry.
The breach also provided access to Tesla’s AWS compute services, which the hackers used to mine crypto-currency. According to the RedLock report, the hackers went to great lengths to hide their activity by not using a public mining pool, by using CloudFlare as a way to hide their traffic and by using non-standard ports. The attackers also apparently throttled their CPU usage to avoid detection.
“The recent rise of crypto-currencies is making it far more lucrative for cyber-criminals to steal organizations’ compute power rather than their data,” said RedLock CTO Gaurav Kumar in an email. “In particular, organizations’ public cloud environments are ideal targets due to the lack of effective cloud threat defense programs. In the past few months alone, we have uncovered a number of crypto-jacking incidents including the one affecting Tesla.”
The CSI team found that account compromises are continuing to rise. They blamed this on poor access security practices and ineffective visibility and user activity monitoring.
This means that organizations aren’t doing a very good job of security user access to cloud accounts. But what’s worse, the team found that 73 percent of organizations allow users to have root access while performing daily activities, which violates best practices.
The RedLock reports notes that the motivation for cyber-attacks is changing. Once it was strictly to steal data and make money by selling it or holding it for ransom. But that’s changing as criminals start hijacking computer resources for crypto-currency mining. The CSI team said that their research found that 8 percent of organizations had been compromised by crypto miners, and that most of that theft has gone unnoticed.
A potentially more serious problem is that companies are failing at GDPR compliance. The report said that 66 percent of databases are still not encrypted, despite requirements in the General Data Protection Regulation. The GDPR goes into effect three months from now on May 25. Penalties for failure to comply can be as much as 4 percent of an organization’s global revenue.
RedLock researchers also found that the Spectre and Meltdown vulnerabilities have started to attract the attention of cyber-attackers. The RedLock staff reports that 83 percent of vulnerable hosts are receiving suspicious traffic apparently aimed at exploiting the vulnerability.
“Given the immaturity of cloud security programs today, we anticipate this type of cyber-crime to increase in scale and velocity,” Kumar said. “Organizations need to proactively monitor their public cloud environments for risky resource configurations, signs of account compromise, and suspicious network traffic just as they do for their on-premise environments.”
“The RedLock CSI team has found hundreds of unprotected Kubernetes admin consoles in the past few months,” he explained. “While the cloud enables agility, it also creates risk of accidental exposure by users with limited security expertise due to lack of security oversight. It is tough to speculate why these instances were not password protected, but it is likely due to simple user error and lack of configuration monitoring by security teams.”
What was most remarkable about the CSI report was that the problems that affect on premises infrastructure are the same ones that affect cloud infrastructure. The difference is that most organizations have learned over the years to provide at least some level of protection for their on premises infrastructure and assets. Unfortunately, it appears that the same isn’t true of their cloud resources.
Part of the problem, it appears, comes from a lack of familiarity with managing cloud services. But security for those services does exist is readily available. Amazon, for example regularly sends out emails to AWS users explaining what security measures, products and services are available for its cloud environments.
Unlike private, on-premises environments, the public cloud is just that—public. That means it can be accessed by anyone, including an attacker that possesses the credentials that can enable access from anywhere. What that means is that access security is even more important, because you have no means of preventing a criminal from trying to gain access.
But it also means that monitoring your cloud environment is just as important as your on premises physical environment. Monitoring at least provides a way to find an attacker that’s gotten past your access controls. The CSI team also recommends a “deny all” setting on your firewall for outbound cloud traffic, and setting your cloud so that configuration changes are automatically reported.
The key here is to remember that while the cloud provider can play a role in helping ensure your cloud is secure, they can’t do it alone. It’s your part of the cloud, your data, and you’re paying for those computing assets. It’s your job to make sure they’re secure.