Where Rubber Meets the Road: Exposed Credentials in DevOps Tools Facilitate Cryptocurrency Mining
March 2, 2018 | DevOps | Chris Smith
Cloud and DevOps enable powerful, transformational advances across many businesses – from finance to manufacturing. But, what happens when a cyber attacker gets a hold of the access keys to the cloud account of a leading automobile manufacturer? Well, as learned in the recently reported breach at Tesla, the attackers exploited access to mine for cryptocurrency!
Reportedly, attackers discovered an unprotected DevOps tool belonging to Telsa. In this case it was a Kubernetes console that exposed AWS Access Keys. With these credentials, the attackers gained access to Telsa’s cloud environment. Once the attackers had the AWS Access keys, they were able to set up scripts to mine for cryptocurrency using the stolen compute resources.
Cryptocurrency mining using a hacked cloud account is becoming increasingly popular with hackers, especially given the recent increases in cryptocurrency values – it’s viewed as an easy route to monetize an attack. But this type of attack could have been worse. Once the attackers have the access keys, they can access other cloud resources, copy sensitive data, and do other damage to the enterprise’s cloud workloads.
Unprotected DevOps Tools – A Growing Vulnerability
This breach serves as a powerful warning to prioritize management of the access and credentials for the DevOps and automation tools used throughout the CI/CD pipeline.
Three Key Takeaways from the Tesla Breach
- Protect your cloud credentials and access keys. Cloud credentials, such as AWS Access Keys, are very powerful. In the wrong hands they give unauthorized access to compute resources and sensitive data. Essentially, the access keys and cloud management console really do hold the keys to the cloud kingdom.
- Proactively check if your cloud resources are being used for cryptocurrency mining. Because cloud compute resources are powerful and can be assigned dynamically, they are attractive targets for cryptocurrency miners. Cryptocurrency mining enables attackers to readily monetize their attack, at the enterprises’ expense (The attacker gets the cryptocurrency, and the enterprise pays the compute bill). As with other attacks, it may be a while before the enterprise detects the problem.
- Protect the admin consoles for all your DevOps and other automation tools. DevOps tools admin consoles can be potential vulnerabilities and act as entry points that need to be protected. With DevOps pipelines comprising multiple tools there are multiple potential entry points.
Organizations Must Proactively Secure DevOps and Cloud Environments
Whether your enterprise fully embraces DevOps or is just starting to adopt automation and DevOps, it is clear that the credentials for the admin consoles for DevOps and automation tools need to be secured and managed. The potential risks of cryptocurrency mining can be greatly reduced by maintaining basic cyber hygiene best practices to address and secure DevOps and cloud environments. Risk management for CI/CD pipelines and the cloud needs to be prioritized with the same, consistent policy enforcement that organizations use on-premises.
Securing the admin consoles for an organization’s DevOps and automation tools and cloud management consoles are basic first steps.
As a next step, consider attending a CyberArk DevOps workshop, talking to one of our DevOps experts, scheduling a demo, or start using CyberArk Conjur open source edition by following the “Simple Steps to Protect Your DevOps Tools from Cryptocurrency Miners” outlined in the technical blog on Conjur.org.