If you were to design the perfect money-spinning tool for cybercriminals, it would probably look something like a cryptocurrency. There is no need to sell data or credit card numbers, create spurious advertising campaigns, or deal with less-than-honest middlemen to make a buck. All the enterprising criminal has to do is compromise a server, install cryptomining malware, point it at their digital wallet, and wait for the money to come rolling in.
Tesla is the latest high-profile victim of cryptojacking — the use of cryptomining malware to generate coins. The Tesla story is interesting from a number of perspectives that are relevant to colocation clients, not least the technique the attackers used to compromise Tesla’s servers. The attackers used an unsecured Kubernetes console to access credentials for Tesla’s cloud infrastructure, giving them access to sensitive data and the infrastructure on which they ran the cryptomining software.
Businesses are likely to see their security systems come under even greater pressure because of the ease with which cryptomining can be used generate revenue for criminals, the rising value of cryptocurrencies, and the increasing expense of legitimate mining.
A recent survey revealed that cryptomining malware affects 23% of organizations globally, and although cryptomining might seem relatively benign compared to ransomware, the cost in wasted infrastructure and energy are not insignificant (aside from the fact that being infected with cryptomining malware is an obvious indication of infrastructure vulnerability).
There are two main techniques criminals use to mine: they use compromised infrastructure to mine directly, or they use their access to that infrastructure to embed JavaScript mining code in user-facing sites and applications, recruiting both the business and its customers into a distributed mining operation.
The method used to compromise servers is often fairly typical: outdated software, brute force attacks, or supply chain attacks. In this case and several others, the culprit was a woefully insecure Kubernetes installation. Kubernetes is used by many businesses, including colocation clients, to deploy, scale, and manage containerized applications. Much of that management takes place via a web console which isn’t password protected by default.
The first lesson to be learned here is that if you’re using Kubernetes, make sure you have password protected the console. It’s a sure bet that other criminals are trawling the web looking for Kubernetes consoles to take advantage of.
The second lesson is to be careful about where your business stores access credentials for its infrastructure. In the Tesla incident, it was AWS credentials stored in a Kubernetes pod, but there are plenty of other opportunities for authentication credentials and private keys to find their way into publicly accessible systems like GitHub or internet-facing production code.
It might also be worth considering a bug bounty program that incentivizes “researchers” to report any vulnerabilities they discover rather than selling that information or exploiting it themselves.