Cryptojacking is quickly becoming a very serious problem in the world of security and cryptocurrency. Especially when it comes to unprotected online administration consoles, a lot of damage can be done. Surprisingly, Tesla has fallen victim to this increasingly popular trend as well. It is evident cryptocurrency mining malware will not be going away anytime soon.
Tesla and Cryptojacking
For those unaware of what cryptojacking is all about, it is rather easy to explain. This criminal activity revolves around infecting computers with malicious software to mine cryptocurrencies on the assailant’s behalf. Different forms of cryptojacking exist as of right now, including mining malware and browser-based scripts such as CoinHive being implemented on hacked platforms. It is quickly becoming a lucrative business for a lot of criminals, especially when they target some of the world’s biggest companies.
In recent months, cryptojacking has affected a fair few companies. Aviva, a British insurance company, and Gemalto, the world’s largest manufacturer of SIM cards, are two of the more noteworthy targets to date. Both firms had their login credentials for their Amazon Web Services and Microsoft Azure environments exposed due to lackluster security. Criminals used those credentials to infect these platforms to mine cryptocurrencies such as Monero and Zcash. This activity flew under the radar for some time, but it was eventually addressed successfully.
Unfortunately, those are not the only major companies to have fallen victim to cryptojacking. In fact, this threat has become so popular that major firms are at risk of falling victim now more than ever before. The current method of attack is also rather different compared to the earlier incidents. Some malware types steal credentials from computer memory, whereas others use stealthy mining tools to generate cryptocurrencies without stressing infected systems too much.
One of the more recent victims of cryptojacking is none other than Tesla. Research from RedLock CSI shows Tesla’s console was breached because it was never properly password-protected. Consequently, the hackers gained access to the dedicated access credentials for Tesla’s AWS environment. With these credentials, the hackers could then install cryptocurrency mining malware on those servers to quietly generate an unknown cryptocurrency. Thankfully, the issue has since been addressed, yet it does show there’s still a lot of work to be done in Tesla’s security department.
What makes this particular incident rather interesting is that the criminals didn’t use a public mining pool to generate cryptocurrency. Instead, the installed malware connected to an unlisted endpoint, which made it impossible for Tesla’s security solutions to detect this activity right away. Moreover, the mining pool service’s IP address was obfuscated using CloudFlare. This allowed them to switch the IP of this mining pool with just a few clicks, which means this particular pool will remain a problem for quite some time to come.
It is also interesting to note how this “new” malware hides itself quite well when it comes to utilizing CPU resources. In fact, the hijacked Tesla Kubernetes dashboard didn’t show a big increase in CPU usage, which is rather interesting. This further confirms criminals will modify this malware to evade detection for as long as possible. It is unclear how much money they made while Tesla’s servers were infected, though.