santiago silver - Fotolia

Unprotected Kubernetes consoles expose firms to cryptojacking

A number of big companies have been targeted by crytojacking attacks, where cyber criminals hijack computing power to mine cryptocurrencies, but some have unprotected Kubernetes consoles in common

Car and energy technology firm Tesla, British multinational insurance company Aviva and digital security firm Gemalto are among a growing number of organisations being targeted by illicit cryptocurrency mining operations – but they all left the door wide open to attackers, according to security firm RedLock.

RedLock researchers discovered that Tesla, Aviva and Gemalto were all using open source Kubernetes administration consoles designed by Google that were accessible over the internet, but had no password protection.

These companies were among “hundreds” that had exposed Kubernetes consoles, the researchers said, highlighting just one of the ways organisations could be making it easy for cyber criminals to hijack computing resources, which many are unable to detect.

Unprotected cloud resources is a common problem, according to Javvad Malik, security advocate at AlienVault. It is just one of the indicators that many organisations’ security capabilities have not kept pace with the accelerating adoption of cloud computing services.

“While cloud offerings can benefit companies greatly, they do introduce different types of risks that need to be understood and effectively managed by enterprises,” Malik told Computer Weekly in a recent interview.

The lack of password protection on the Kubernetes consoles meant cyber criminals were able to access the consoles as well as the access credentials for these firms’ Amazon Web Services (AWS) and Microsoft Azure environments. With access to these cloud environments, the attackers were then able to tap into the available computing power to mine cryptocurrency without the consent or knowledge of the account holders, which is known as cryptojacking.

Cryptocurrency mining refers to the process of creating cryptocurrencies when computers run complex mathematical equations, but this typically requires high levels of computing powers, such as that commonly found in cloud-based environments.

Cryptojacking has rapidly increased in popularity with cyber criminals, spurred on in part by the meteoric rise in value of the bitcoin crytptocurrency towards the end of 2017. But its subsequent sharp fall does not appear to have dented cryptojacking’s popularity, with cyber criminals turning instead to other cryptocurrencies such as ethereum and monero.

Earlier this month, a Europol warning that cyber criminals were using cryptocurrencies to hide and launder billions in illicit funds coincided with news that more than 4,000 websites, including many in the public sector, had been injected with code designed to hijack visitors’ computers to mine for cryptocurrency.

In Tesla’s case, the attackers found access credentials for its AWS environment and were able to access an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive telemetry data related to Tesla cars.

In addition to the data exposure, RedLock researchers said the attackers were performing cryptomining from within one of Tesla’s Kubernetes pods. Although they did not identify which cryptomining tool was used, the researchers said the attackers were using “sophisticated” evasion measures.

Unlike other cryptomining incidents, the attackers that targeted the Tesla AWS account did not use a well-known public “mining pool”, but instead installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint, making it difficult for standard IP/domain-based threat intelligence feeds to detect the malicious activity.

The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services, which makes IP address-based detection of cryptomining activity even more challenging, the researchers said.

The mining software was also configured to listen on a non-standard port, which makes it hard to detect the malicious activity based on port traffic, and the mining software was configured to keep CPU usage low to reduce the risk of high CPU usage attracting attention.

RedLock said Tesla responded immediately to the breach and took remedial measures. Tesla also released a statement saying that it had not uncovered any sign of customer privacy or vehicle safety or security having been compromised.

To prevent cyber criminals from cashing in on an organisation’s in-house or third-party computing power, RedLock recommends that they:

1. Monitor configurations

With DevOps teams delivering applications and services to production without any security oversight, organisations should monitor for risky configurations, the RedLock researchers said. This involves deploying tools that can automatically discover resources as soon as they are created, determining the applications running on the resource, and applying appropriate policies based on the resource or application type.

Configuration monitoring could have helped Tesla immediately identify that there was an unprotected Kubernetes console exposing its environment, they said.

2. Monitor network traffic

By monitoring network traffic and correlating it with configuration data, the researchers said Tesla could have detected suspicious network traffic being generated by the compromised Kubernetes pod.

3. Monitor for suspicious user behaviour

It is not uncommon to find access credentials to public cloud environments exposed on the internet, as was the case in the Uber breach, the RedLock researchers said. Organisations therefore need a way to detect account compromises. This requires baselining normal user activities and detecting anomalous behaviour that goes beyond just identifying geo-location or time-based anomalies, but also identifying event-based anomalies.

Other cryptojacking attacks such as the Smominru botnet have used the Microsoft Windows operating system using the EternalBlue server message block (SMB) exploit to spread, while others have exploited a vulnerability in Oracle’s Fusion Middleware. Businesses have been urged to patch these known vulnerabilities to block cryptojacking attacks that exploit them.

Read more on Hackers and cybercrime prevention