Hackers Compromise Tesla Cloud Server to Mine Cryptocurrency

It is 2018 and the easiest way to make quick money at someones else’s expense is mining cryptocurrency. This time, however, researchers have found two new victims of cryptojacking including Tesla, Inc. (formerly Tesla Motors) and Wikipedia, an online content based encyclopedia.

These findings came from two separate IT security firms. First, according to researchers at California based Cloud Threat Defense company RedLock who discovered that hackers compromised Tesla’s Amazon cloud account to mine cryptocurrency while according to Sucuri researchers an article on Wikipedia was edited and inserted with a third party link which was compromised to mine cryptocurrency.

Tesla’s Amazon account hacked to mine cryptocurrency

An unknown attacker or a group of attackers were able to breach the security of Tesla’s Amazon cloud account and mine cryptocurrency through it. Moreover, it also allowed attackers to access the company’s highly sensitive data such as telemetry.

According to RedLock’s researchers, the incident was discovered while looking for publically exposed Amazon Web Services (AWS) buckets and one of them turned out to be of Tesla open for public access without any password.

“The hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod (an open-source system developed by Google and now maintained by Cloud Native Computing Foundation.), access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock’s researchers noticed.

Hackers Compromise Tesla Cloud Server to Mine Cryptocurrency
Crypto mining script running in Tesla’s Kubernetes pod ( Image credit: RedLock)

The attackers used the opportunity to mine cryptocurrency on the server at Tesla’s expense however it is unclear how much cryptocurrency was generated. The researchers also noted that the whole campaign was highly sophisticated since attackers did everything to lay low and did not use a well-known public mining pool (according to Fortune, attackers used cryptocurrency mining software called Stratum in their attack).

The attackers also covered their tracks by hiding the original IP address behind CloudFlare’s firewall and kept the CPU usage of the server as low as possible which allowed them to evade detection by not raising suspicion.

Tesla acknowledged the hack

The Redlock’s researchers contacted Tesla with their findings who acknowledged the incidents and secured the database “within hours.” 

“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way,” said Tesla in a statement.

Giovanni Vigna, director of the Center for Cybersecurity at UC Santa Barbara and co-Founder/CTO of malware protection provider, Lastline, told HackRead in an email conversation that “Accounts that provide access to cloud resources are a very lucrative asset for coin miners, as the criminals can mine coins at the expense of the account’s owner.”

“Kubernetes allows for “Dockerized” instances to be deployed and run at scale, providing the perfect environment to perform large-scale coin mining. In this case, access controls mechanisms should be particularly well designed, as access might result in thousands of dollars in cloud-time bills,” said Vigna

Cryptocurrency mining using Wikipedia

According to Sucuri researchers, on February 2nd Wikipedia redirected users to a website that was compromised with CoinHive cryptocurrency miner that used visitor’s CPU to generate Monero (XMR) coins. It must be noted that Wikipedia was itself not compromised but it was a result of a Wikipedia editor who added a link to a malicious site as a source for an article “Feminist views on transgender topics.”

The presence of malicious link was identified by a Wikipedia user while reviewing the sources in the article. Another user decoded the malicious script and concluded that “it was purely coincidence that a user linked to a site that happened to be infected.”

New ways of cryptocurrency mining

Hackers are becoming sophisticated and persistent in cryptojacking attacks. Lately, some high-profile platforms have been compromised to mine cryptocurrency including YouTubeBlackBerry’s mobile siteOracle’s WebLogic serversAndroid-based Smart TV & phonesUS Court and UK’s NHS websites and even the world’s largest state-owned oil pipeline company Transneft had its computer system was hijacked to mine cryptocurrency.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.