Hackers recently infiltrated an unsecured Kubernetes console operated by Tesla, cloud defense platform provider RedLock said in a prepared statement. A Tesla Amazon Simple Storage Service (S3) bucket was left without password protection, and as a result, corporate data was exposed to cybercriminals.
In addition, hackers performed crypto mining during the cyberattack, RedLock indicated. They also used the following evasive measures to avoid discovery:
- Installation of mining pool software and configuration of malicious scripts to connect to an "unlisted" or semi-public endpoint; this often prevents standard IP/domain-based threat intelligence feeds from detecting malicious activity.
- Hiding the true IP address of the mining pool server behind free content delivery network (CDN) service Cloudflare. By registering for Cloudflare, hackers can set up a new IP address on-demand, thereby limiting the effectiveness of IP address-based detection of crypto mining activity.
- Configuration of mining pool software to listen on a non-standard port, which makes it tough to detect malicious activity based on port traffic.
RedLock reported the incident to Tesla, and the automaker has corrected the issue.
What Can MSSPs Learn from the Tesla Cryptojacking Attack?
Hackers are quickly shifting their focus from stealing data to stealing compute power in organizations' public cloud environments, RedLock said. As such, MSSPs must help customers detect crypto mining and other suspicious activities across fragmented cloud environments.
RedLock offered the following tips to ensure that MSSPs can help customers address cloud security dangers:
- Monitor configurations. Deploy tools that can automatically discover resources as soon as they are created, determine the applications running on a resource and apply appropriate policies based on the resource or application type.
- Monitor network traffic. Evaluate network traffic and correlate it with configuration data to identify suspicious activities faster than ever before.
- Monitor for suspicious user activity. Establish a baseline for normal user activities and detect anomalous behaviors.
Organizations must monitor their infrastructure for risky configurations, anomalous user activities, suspicious network traffic and host vulnerabilities, RedLock Chief Technology Officer Gaurav Kumar said in a prepared statement. That way, organizations can protect their cloud environments against sophisticated cyberattacks both now and in the future.
Many Organizations Publicly Expose Sensitive Data on Cloud Storage Services
Most organizations using cloud storage services such as Amazon S3 and Microsoft Azure inadvertently expose one or more such services to the public, according to a RedLock report.
Key findings from the RedLock "Cloud Security Trends" report included:
- 83 percent of vulnerable hosts in the cloud received traffic from suspicious locations.
- 80 percent of organizational resources associated with security groups did not restrict outbound traffic.
- 66 percent of organizational databases were not encrypted.
- 58 percent of organizations publicly exposed at least one cloud storage service.
- 47 percent of organizations failed to meet PCI requirements, 44 percent did not comply with HIPAA requirements and 32 percent ignored SOC 2 best practices.
Monitoring public cloud environments for risky configurations and account compromises and deploying effective network intrusion detection solutions is key, RedLock noted. Organizations also should monitor ingress and egress network traffic for any suspicious activities, RedLock stated, and implement a "deny all" default outbound firewall policy to optimize their security strategies.