Abstract: Tesla suffered a "poisonous hand" because its Kubernetes platform was not password-protected.
Click here to view the original text: http://click.aliyun.com/m/43609/
A few months ago, RedLock staff discovered that hundreds of Kubernetes management consoles can be accessed without a password, that is, directly exposed to the Internet.
After expert research, it was found that these consoles were deliberately used by hackers to engage in illegal "mining". Tech geeks are being hacked, how should we prevent them from happening?
Crypto-jacking, hackers "screw wool" for mining
Before Tesla's "mining" accident, British international insurance company Aviva and the world's largest SIM card manufacturer Gemalto were also involved. These companies have respectively adopted the public cloud services of two international cloud computing giants. The access rights of their consoles are directly exposed to the outside world without password login authorization, and hackers use these exposed computing instances to mine cryptocurrencies.
In the cryptocurrency mining WannaMine malware, a Mimikatz tool pulls passwords from computer storage and hacks into other computers in the network, then "unwittingly" mines a controlled computing resource. A Monero cryptocurrency. I don’t know if you still remember the WannaCry ransomware incident that infected more than 100,000 computers in more than 100 countries in May 2017 and caused global panic. At that time, the NSA vulnerability Eternal Blue was used; and the Mimikatz tool can bypass the Eternal Blue. Reliance on blue exploits to evade detection even by well-patched computers.
These hackers steal other people's computing resources and mine cryptocurrencies for their own illegal profit. The target group is those large high-traffic websites, such as CBS's paid video service "Showtime", one of the three major news networks in the United States.
Relevant agencies have counted the top ten countries most affected by hackers mining coins:
Tesla victim, Kubernetes console is not password protected
RedLock experts found Tesla as a victim, and hackers infiltrated an unprotected Kubernetes console. In a Kubernetes pod, access rights to Tesla's public cloud environment are stolen, and the corresponding public cloud environment stores sensitive data such as telemetry.
In addition to the exposed data, RedLock also noticed some more sophisticated detection evasion methods in this attack.
- First, no known public "mining pools" are used. They install mining software and link to unlisted/semi-public endpoints via malicious scripts. Second, the hackers hid the real IP address of the mining pool server through CloudFlare, a free CDN service. Obtain a new IP address through the service. Therefore, common standard IP or domain-based detection is difficult to detect such malicious behavior.
- Mining software listens on non-standard ports, and port-based malicious detection becomes difficult.
- Hackers' mining software keeps a "low profile", which does not cause excessive CPU usage and resource usage that is not easy to detect.
How can I protect my own resources?
Although Tesla and other companies have adopted the services of public cloud providers, the blame cannot be entirely placed on the suppliers. After all, it is because the users themselves do not configure passwords.
The Alibaba Cloud Container Service Kubernetes cluster is configured with certificate login, and the non-secure local port is closed, so the security factor is high. Even if the user does not configure a password to log in, the cluster access will also perform certificate verification, which will not cause the crisis of the line of defense being collapsed at the touch of a button.
At the same time, attention should also be paid to improving monitoring capabilities. Monitor configuration, network traffic, suspicious user behavior, and more. First, R&D members may ignore security group rules, and companies should detect risks, automatically discover the creation of related resources, determine applications on resources, and adopt appropriate policies based on resources and application types; Kubernetes console does not set passwords naturally will be detected. Second, Tesla can detect suspicious traffic from Kubernetes pods if it correlates network traffic with configuration data. Finally, not only detect anomalies based on geographic location or time, but also identify if there are anomalous events.
Alibaba Cloud Container Kubernetes service supports resource dimension monitoring, from the underlying ECS to the upper-level Pod, service namespace and other resource monitoring. Although the container platform currently does not support user behavior detection, it can be used in conjunction with Alibaba Cloud's data risk control products. This data risk control product is provided by Alibaba Juan Security, which is based on Alibaba's years of business risk control experience. It can specifically address fraud threats in key links such as accounts, activities, and transactions, and ensure normal user experience.
In addition, Alibaba Cloud Monitoring is a monitoring service for Alibaba Cloud resources and Internet applications. You can learn basic system-level indicators such as CPU usage, memory usage, and public network outflow flow rate, and learn about abnormalities according to the set alarm rules. It also supports HTTP , TCP and other 8 protocols for site monitoring and custom monitoring.
Reference article
Lessons from the Cryptojacking Attack at Tesla by RedLock CSI Team
Crypto-jacking — what’s really going on inside your computer? by Open Trading Network