Abstract: Tesla was victimized because its Kubernetes platform was not password protected.


Click here to view the original: click.aliyun.com/m/43609/


A few months ago the RedLock staff discovered that hundreds of Kubernetes administrative consoles could be accessed without a password, which was directly exposed to the Internet.


After expert research found that these control stations were deliberately used by hackers to engage in illegal “mining”. Tech geeks are being victimized. How can we prevent them?


Crypto-jacking, hackers “pull their wool” to mine


The Tesla mining incident follows similar cases involving Aviva, the UK international insurer, and Gemalto, the world’s largest SIM card maker. Each of these companies uses the public cloud services of two international cloud computing giants, whose control desk access is directly exposed to the outside world without password login authorization, and the hackers use these exposed computing instances to mine cryptocurrencies.
In the Cryptocurrency mining WannaMine malware, a Mimikatz tool pulls passwords from computer memory, intrudes into other computers in the network, and then mines a Monero cryptocurrency “without anyone knowing” with the computing resources it controls. I wonder if you remember the WannaCry ransomware that infected 100,000 computers in more than 100 countries and caused global panic in May 2017, using the ETERNAL Blue of the NSA vulnerability. The Mimikatz tool can bypass reliance on the EternalBlue vulnerability and evade detection even on well-patched computers.


These hackers steal other people’s computing resources and mine cryptocurrencies for their own illegal profits. The targets are big, high-traffic websites such as Showtime, a subscription film service from CBS, one of America’s three big news networks, that have discovered “coin-mining” programs that exploit web browsers’ computer processors.


Relevant agencies have counted the top 10 countries most affected by hacker’s coin mining:


Tesla is affected, Kubernetes console is not password protected


The RedLock experts found that Tesla was a victim, as hackers infiltrated the Kubernetes control desk, which had no password protection. Inside a Kubernetes pod, it stole access to Tesla’s public cloud environment, which houses sensitive data like Telemetry.


In addition to the exposed data, RedLock noted some of the more sophisticated detection evasion methods used in this attack.
  • First, no known public “mining pools” were used. They install mining software and link through malicious scripts on unlisted/semi-public endpoints. Second, the hackers hid the real IP addresses of the mine pool servers through CloudFlare, a free CDN service. Obtain a new IP address through the service. Therefore, common standard IP – or domain-based probes have a hard time detecting such malicious behavior.
  • Mining software monitors non-standard ports, and it is difficult to detect malicious ports based on them.
  • The hackers’ mining software was kept “low-key” and did not result in high CPU usage, making it difficult to detect resource usage.


How do you protect your resources?


Although Tesla and other companies have adopted the services of public cloud providers, the problem cannot be completely blamed on the suppliers, because users themselves do not configure passwords.
Ali cloud container service Kubernetes cluster is configured with certificate login and closed the insecure local port, which has a high security factor. Even if a user does not have a password configured for login, certificate verification is performed for cluster access, preventing the defense line from collapsing.


At the same time, attention should also be paid to improving monitoring capabilities. Monitor configuration, network traffic, suspicious user behavior, and so on. First, as r&d members may ignore security group rules, companies should detect risks, automatically detect the creation of related resources, determine applications on resources, and adopt appropriate policies based on resources and application types. Kubernetes console does not have a password automatically detected. Second, if network traffic is associated with configuration data, Tesla can detect suspicious traffic generated in Kubernetes Pods. Finally, it is important not only to detect anomalies based on geographic location or time, but also to identify if there are abnormal events.


Aliyun container Kubernetes service supports resource dimension monitoring, from the bottom ECS to the upper layer of Pod, Service namespace and other resources monitoring. Although the container platform does not currently support user behavior detection, data risk control products of Aliyun can be used jointly. This data risk control product is provided by Aliju Security, which embodies Ali’s years of business risk control experience. It can specifically solve fraud threats in key links such as accounts, activities and transactions to ensure normal user experience.


In addition, Ali Cloud monitoring for Ali cloud resources and Internet application monitoring services, can know the CPU usage, memory usage, public network outbound flow rate and other system level basic indicators, and according to the set alarm rules to learn exceptions, but also support HTTP, TCP and other 8 protocols of site monitoring and custom monitoring.


Refer to the article


Lessons from the Cryptojacking Attack at Tesla by RedLock CSI Team
Crypto-jacking — What’s really going on inside your computer? by Open Trading Network


Identify the qr code below to read more about dry goods