The hijacking of the Tesla Amazon Web Server cloud system by means of a dishonest cryptomer is proof that nobody is safe from a misconfigured AWS server or from cryptomining attacks.
The RedLock researchers discovered an unprotected Kubernetes console owned by Tesla that exposed the access credentials to the Tesla Amazon Web Services environment.
"Basically, hackers executed cryptographic extraction scripts in the unsecured instances of Kubernetes of Tesla," the researchers said in their report on cloud security trends in February 2018. "To hide their identities, the scripts they connected to the servers that were behind CloudFlare, a content delivery network. "
The AWS system also contained valuable information, such as vehicle telemetry, and the damaging activity of the network went unnoticed by Tesla due to the techniques of the threat actors used to hide their activities, the researchers said.
Threat agents made it difficult for domain-based threat detection systems to detect their activities by hiding the true IP address of the discovery group to reduce CPU usage and avoid suspicious traffic. that would attract the attention of cryptomutiers.
The dominance of unsecured AWS servers and cryptomining attacks suggests that it was only a matter of time before both were exploited to lead an attack. Despite the inevitability of the attack, researchers say that Amazon and Tesla share responsibility for the attack, although some say that Amazon could do more to avoid these attacks that have become so common.
"Even with this model, I think AWS could play a bigger role by offering their services as Guard Duty to customers for free so they can take advantage of AWS visibility on their platform," said David Cook. , responsible for the distribution in Databricks. "You can quickly identify things like malicious services like Bitcoin miners."
Although they offered, Cook said that customers should always follow best practices, such as change management, key management, regular service analysis, monitoring and scanning. Some researchers believe that failure is not always in black and white in these scenarios.
"Every time there is a compromise or a data breach, there is a tendency to point fingers, but the reality is not so clear: security has no on / off switch, and it is important to superimpose multiple security measures to protect, "said Ken Spinner, vice president of Varonis, a specialist in field technology, for SC Media." AWS provides a series of basic controls, such as bidirectional authentication, virtual private clouds and factors (VPC) to help protect accounts, monitor systems and prevent data leakage, but it's not a quick fix. "
Spinner said that if the credentials are revealed, it is almost impossible for AWS to determine whether the intended use is legitimate, adding that, ultimately, it is up to the user to guarantee security. of your information. Given the value of the servers both for the information they contain and for their computing power, it was only a matter of time before the cybercriminals tried to compromise them.
"Accounts that provide access to cloud resources are a very lucrative asset for minors because criminals can extract coins to the detriment of the owner of the account," said Giovanni Vigna, director of the Cybersecurity Center, to SC Media. UC Santa Barbara. "Kubernetes allows the deployment and operation of Dockerized instances on a large scale, providing the ideal environment for large-scale parts extraction.
Vigna added that in this case, access control mechanisms should be especially well designed because access could generate thousands of dollars in time invoices in the cloud.
The experts agree on the responsibility of the AWS customer to protect the data and follow the best practices. Prevoty's chief technology officer, Kunal Anand, told Amazon's SC Media that he is already doing a great job when it comes to allowing organizations to see authorizations and policies related to their services.
"Unfortunately, the security of applications and data is a last-minute idea for organizations that allow their teams to move quickly through DevOps," Anand said. "I think the main
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.