mine cryptocurrency<\/a>. As you do.<\/p>\nThere\u2019s a lot to unpack here, so let\u2019s start from the beginning.<\/span><\/p>\nHow did this happen?<\/h2>\n
Well, let\u2019s start by pointing out that RedLock informed Tesla of this, and Tesla immediately patched it. But there are some additional steps that Tesla could have taken. For one, it could have done a better job of monitoring its configurations. A company like Tesla should have the resources and tools to monitor for risky configurations. That would have likely caught this unsecured Kubernetes console.<\/p>\n
For the record, a Kubernetes is an open-source system for the automated deployment and management of containerized applications.<\/p>\n
Back to Tesla though, it probably could have prevented this by monitoring network traffic better, too. As in, had Tesla correlated network traffic with its configurations it would have seen the suspicious traffic coming from the vulnerable Kubernetes pod.<\/p>\n
This could also underscore the need to incorporate Artificial Intelligence (AI) and machine learning into a defense strategy as well. Had Tesla been able to baseline regular user activity \u2013 when the account is active, what part of the network it interacts with \u2013 it would have seen anomalous activity coming from the credentials in use. Then it could have mitigated the entire situation. Unfortunately humans aren’t well-suited to this kind of task, whereas an AI could handle it quickly.<\/p>\n
What is Crypto-jacking?<\/h2>\n
Crypto-jacking occurs when an attacker infiltrates a network and begins using its computing power to mine cryptocurrency. And actually, per RedLock, this isn\u2019t even the first time attacker have used unsecured Kubernetes consoles as an attack vector. Aviva and Gemalto have also been crypto-jacked.<\/p>\n
But the Tesla attack had some marked differences from its predecessors. Per RedLock:<\/p>\n
Unlike other crypto mining incidents, the hackers did not use a\u00a0well known\u00a0<\/span>public \u201cmining pool\u201d in this attack. Instead, they installed mining pool software and configured the malicious script to connect to an \u201cunlisted\u201d or semi-public endpoint. This makes it difficult for standard IP\/domain based threat intelligence feeds to detect the malicious activity.<\/span><\/p><\/blockquote>\nThe hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging.<\/p><\/blockquote>\n
Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic.<\/p><\/blockquote>\n
Lastly, the team also observed on Tesla\u2019s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.<\/p><\/blockquote>\n
<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
The hackers infiltrated Tesla\u2019s Kubernetes console, which was not password protected Tesla has fallen victim to crypto-jacking, per a report by RedLock CSI. Hackers found a way in via a…<\/p>\n","protected":false},"author":6,"featured_media":5922,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[6302,6301],"class_list":["post-5921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-crypto-jacking","tag-tesla","post-with-tags"],"views":10428,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/02\/iStock-531622164.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/5921","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=5921"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/5921\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/5922"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=5921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=5921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=5921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}