As many of you have heard, Tesla Motors’ website was “hacked” on Saturday as well as its official Twitter account. The teslamotors.com website was redirected to a server hosted in Amsterdam. Within a few minutes, the account began sending tweets promising free Tesla cars to those who called a certain phone number, which belonged to a computer repair shop in Illinois, and was presumably tweeted out to flood the number’s owner with calls. Later that same day it was revealed that Tesla founder Elon Musk’s Twitter account was compromised. According to Dave Smith at Business Insider “though the parties claiming responsibility offer up different names, it appears to be one coordinated attack on all of Musk’s online and social properties.”
Let’s take a deeper dive into what happened.
1) This was not a “hack,” but a series of related defacements
We’d first like to communicate that we believe this to be a compromise, and not necessarily a “hack.” This attack (and we use the term loosely) involved the redirecting of legitimate traffic destined for teslamotors.com to an IP address of the attackers’ choosing.
Visitors to the domain were presented with the following page (as captured by David Maynor via his Twitter feed):
— David Maynor (@Dave_Maynor) April 25, 2015
At roughly the same time, the corporate Twitter account for Tesla was compromised. Once controlled by the attackers, several tweets appeared from the @TeslaMotors Twitter account and the name of the account was changed to “#RIPPRGANG.” The account also tweeted the number to call to get a free Tesla. The number was that of a small computer repair shop in Illinois.
Elon Musk’s account also began tweeting messages about free cars and where they can be picked up–at the same address in Illinois.
2) The domain registrar may have been socially engineered to give up control of the teslamotors.com domain
It appears that very little sophistication was involved in this defacement. As such, there was initial speculation of a social engineering (SE) attack against the domain registrar but sources close to the investigation inform us that the SE attack vector was not exploited.
A SE attack against the registrar would explain how the attackers were able to gain access to both the corporate Twitter account and the account of founder Elon Musk. By controlling the domain, and by association the MX (mail exchange) records, the attackers could request a password reset for the Twitter accounts.
By controlling the MX record, the e-mailed password resets would have given the attacker control of the social account passwords.
“Posing as a Tesla employee, somebody called AT&T customer support and had them forward calls to an illegitimate phone number. The impostor then contacted the domain registrar company that hosts teslamotors.com, Network Solutions. Using the forwarded number, the imposter added a bogus email address to the Tesla domain admin account. The impostor then reset the password of the domain admin account, routed most of the website traffic to a spoof website and temporarily gained access to Tesla’s and Elon’s Twitter accounts.”
Tesla’s corporate network, cars, and customer database were not affected and everything has been restored to normal, according to the spokesperson.
“We are working with AT&T, Network Solutions, and federal authorities to further investigate and take all necessary actions to make sure this never happens again,” the spokesperson added.
So the domain registrar was not SEd, but rather AT&T. This is not the first time that AT&T was tricked into redirecting calls to an illegitimate phone number.
3) DNS shows a timeline of changes during the attack
As you can see from OpenDNS Investigate results for teslamotors.com, the domain’s IP address was changed on April 25th from 220.127.116.11 to 4 additional IP addresses not owned or controlled by Tesla.
The historical (and expected) IP address for teslamotors.com is associated with AS 40913 owned by Quality Technology Services Santa Clara, LLC. This is where the domain is usually hosted.
The new IP addresses are shared between hosting providers Digital Ocean (AS 200130), VOXILITY (AS 3223), and OVH (AS 16276). As you can see below, at least 2 of the IP addresses have a questionable track record.
4) So far, nothing indicates visitors were at risk for malware downloads
The teslamotors.com domain received a surge in visits between 04:00 and 07:00 UTC. The most significant spike to the domain occurred on April 26th at 05:00 UTC as shown below.
This was likely due to the attackers publicizing the “hack.” The subsequent Internet frenzy to visit the site ensued and was noticed by more than a few individuals.
There is no indication of any malware being dropped, nor were visitors redirected to another site to download malware. This can be verified by the HTML dump of the fraudulent site on Pastebin: http://pastebin.com/j6kz0Kdk.
5) The Islamic State of Iraq and ash-Sham (ISIS) was not likely involved, but Lizard Squad may have been?
— David Maynor (@Dave_Maynor) April 25, 2015
The newly created domain was registered at ENom and hosted at DreamHost Web Hosting for a brief time. So was this the work of ISIS? In a word, unlikely. It’s incredibly unlikely that ISIS would have it out for Tesla as a company. It’s even more unlikely that they’d direct their anger at a small Illinois-based computer repair shop. There are speculations around the research community, as well as the targeted individual, that this breach was the work of “Ryan” aka “zeekill” aka “Julius Kivimäki”, a Finish national with alleged ties to Lizard Squad.
Receiving reports that Julius Kivimaki hacked Tesla and Elon Musk’s Twitter accounts and websites by Social engineering NetworkSolutions
— r000t (@rootworx) April 26, 2015
OpenDNS can neither confirm nor deny attribution at this time.
The use of Jihadist-inspired defacements is not new. As many of these defacements are meant to drive traffic to the hijacked site, instill fear, and increase publication int he popular media, the use of controversial (yet unrelated) imagery and messaging is becoming common place.
As always, please let us know if you have any additional information or would like to talk to us about our findings.
The post Five Things To Know About The Tesla Motors Compromise appeared first on OpenDNS Security Labs.
Reports show that as little as 10 percent of businesses have formally adopted Internet of Things (IoT) devices in their IT environments. But if the security community has learned one thing from the history of shadow IT, it’s that informal adoption of IoT devices in the enterprise is already much higher. OpenDNS Security Labs invites its readers to participate in this quick and anonymous survey regarding IoT use on business networks.
Create your free online surveys with SurveyMonkey , the world’s leading questionnaire tool.
As reported by a number of different sources, Google’s primary web property in Vietnam (www.google.com.vn) had its DNS abused by an individual (or individuals) claiming affiliation with Lizard Squad.
Based on the DNS queries over the past 2 days, we noticed that the DNS infrastructure changed from the expected Google name servers (ns1.google.com, ns2.google.com) to CloudFlare (18.104.22.168, 22.214.171.124). This was identified using OpenDNS Investigate and corroborated by several other publicly available tools. Though only a brief redirection, visitors to the legitimate www[.]google[.]com[.]vn site were surreptitiously redirected to a DigitalOcean-hosted server with the following message:
A DigitalOcean IP served as the endpoint for the hijacked site and, according to MaxMind, was located in the Netherlands – at least until it was taken down.
What’s interesting is that the IP address in question was an IPv6 IP – 2a03:b0c0:2:d0::23a:c001.
Prefix description: DigitalOcean
Country code: NL
Origin AS: 202018
Origin AS Name: DOAMS3 — DigitalOcean Amsterdam
RPKI status: No ROA found
First seen: 2014-08-13
Last seen: 2015-02-23
Seen by #peers: 170
We’re not sure if this was an attempt to “confuse” network analysts and legacy tools or if this was simply a case of “we don’t care what IP address we get as we’re mapping a domain name to it”.
The hosting of the site in The Netherlands, when combined with the load balancing capabilities of employing CloudFlare’s infrastructure, does signal that at least some thought was put into managing the considerable amount of web traffic generated by Google-related requests.
We suspect that the use of IPv6 for malicious and fraudulent sites will become increasingly commonplace, especially as VPS providers stop giving customers the choice to select an IPv4 or IPv6 IP address for their server. In close we’d also like to give kudos to CloudFlare for their diligence in coordinated the taken down of this fraudulent site shortly after the redirect was detected.