{ "type": "bundle", "id": "bundle--4412cae0-9f7e-4030-bcd8-e5bb8a005f22", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--130cfa8f-3152-4a3e-bd99-6f4230907dad", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--0edd4903-ef03-46b5-ae58-6d595efa73e9", "start_refs": [ "attack-condition--394e0f5c-534b-406d-a714-60124f89e437", "attack-action--ec83e8c9-a209-47cb-aa05-52fae33182bb" ], "name": "Tesla Kubernetes Breach", "description": "A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.", "scope": "incident", "external_references": [ { "source_name": "The Cryptojacking Epidemic", "description": "RedLock CSI Team. Feb 20 2018. (archive.org)", "url": "https://web.archive.org/web/20210110185439/https://redlock.io/blog/cryptojacking-tesla" } ] }, { "type": "identity", "id": "identity--0edd4903-ef03-46b5-ae58-6d595efa73e9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "name": "Mark Haase", "contact_information": "mhaase@mitre.org" }, { "type": "attack-condition", "id": "attack-condition--394e0f5c-534b-406d-a714-60124f89e437", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Tesla's Kubernetes dashboard is exposed to the public internet with no password required for access." }, { "type": "attack-action", "id": "attack-action--7edcb647-8d0c-4ba4-86e8-b2a423d9b43a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "External Remote Services", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1133", "technique_ref": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d", "description": "The adversary logs into the Kubernetes console.", "effect_refs": [ "attack-action--307e4dc4-e109-4ef1-b0f5-7eaa7816ca25", "attack-action--fe5fea66-d2a1-4b41-a9eb-7f8eccf9704a" ] }, { "type": "attack-action", "id": "attack-action--307e4dc4-e109-4ef1-b0f5-7eaa7816ca25", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Unsecured Credentials", "tactic_id": "TA0006", "tactic_ref": "x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263", "technique_id": "T1552", "technique_ref": "attack-pattern--435dfb86-2697-4867-85b5-2fef496c0517", "description": "The adversary can view plaintext AWS keys in the Kubernetes console.", "effect_refs": [ "attack-action--3475ec81-5b70-4f9a-a9a9-9a089216ab44" ] }, { "type": "attack-action", "id": "attack-action--3475ec81-5b70-4f9a-a9a9-9a089216ab44", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Cloud Accounts", "description": "The adversary authenticates to AWS S3 using the discovered credentials.", "effect_refs": [ "attack-action--5d19b518-7bcd-48d7-9d61-5e6001b130b1" ] }, { "type": "attack-action", "id": "attack-action--5d19b518-7bcd-48d7-9d61-5e6001b130b1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data from Cloud Storage", "tactic_id": "TA0009", "tactic_ref": "x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe", "technique_id": "T1530", "technique_ref": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7", "description": "The adversary can access data in private S3 buckets." }, { "type": "attack-action", "id": "attack-action--fe5fea66-d2a1-4b41-a9eb-7f8eccf9704a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Deploy Container", "tactic_id": "TA0002", "tactic_ref": "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "technique_id": "T1610", "technique_ref": "attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "description": "The adversary deploys a new container on the Kubernetes cluster.", "effect_refs": [ "attack-operator--2523aded-6d9a-4f28-aea9-be9dd6f490e0" ] }, { "type": "attack-action", "id": "attack-action--ec83e8c9-a209-47cb-aa05-52fae33182bb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Server", "description": "The adversary sets up server[s] to run a cryptomining pool.", "effect_refs": [ "attack-action--837bede5-db2f-40ac-b4df-9798548de067", "attack-action--d1ea11b4-4701-4f2a-9612-6a1de05710e9" ] }, { "type": "attack-action", "id": "attack-action--837bede5-db2f-40ac-b4df-9798548de067", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Proxy", "description": "The adversary proxies their mining pool through Cloudflare CDN.", "effect_refs": [ "attack-operator--2523aded-6d9a-4f28-aea9-be9dd6f490e0" ] }, { "type": "attack-operator", "id": "attack-operator--2523aded-6d9a-4f28-aea9-be9dd6f490e0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--c640ab9c-44db-4eb9-a73d-8cfcafb0d844" ] }, { "type": "attack-action", "id": "attack-action--c640ab9c-44db-4eb9-a73d-8cfcafb0d844", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Resource Highjacking", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1496", "technique_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "description": "The adversary runs cryptomining software in the container, configured to use their private mining pool." }, { "type": "infrastructure", "id": "infrastructure--7d02f022-e5dd-461a-b17b-ee25fb34304c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "name": "Unlisted mining pool", "description": "The mining pool is \"unlisted\" and runs on a non-standard port to evade common blocklists.", "infrastructure_types": [ "unknown" ] }, { "type": "note", "id": "note--c5d127a0-59be-4ab5-9266-4b3037c7bee3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "abstract": "Speculation", "content": "The authors of this post provided speculation about what the attackers could have done with the leaked credentials, but there is no evidence the adversaries even knew about the credentials.", "object_refs": [ "attack-action--307e4dc4-e109-4ef1-b0f5-7eaa7816ca25" ] }, { "type": "attack-action", "id": "attack-action--d1ea11b4-4701-4f2a-9612-6a1de05710e9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Non-Standard Port", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "description": "The adversary proxies their mining pool through Cloudflare CDN.", "effect_refs": [ "attack-operator--2523aded-6d9a-4f28-aea9-be9dd6f490e0" ] }, { "type": "relationship", "id": "relationship--fc09aebc-c912-4d75-a706-d785a2d68fa1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "relationship_type": "related-to", "source_ref": "attack-condition--394e0f5c-534b-406d-a714-60124f89e437", "target_ref": "attack-action--7edcb647-8d0c-4ba4-86e8-b2a423d9b43a" }, { "type": "relationship", "id": "relationship--07e40d75-d3aa-4c71-a1ff-c146856804da", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "relationship_type": "related-to", "source_ref": "attack-action--ec83e8c9-a209-47cb-aa05-52fae33182bb", "target_ref": "infrastructure--7d02f022-e5dd-461a-b17b-ee25fb34304c" }, { "type": "relationship", "id": "relationship--58e6ad7b-3122-4673-a846-0fc0abf196df", "spec_version": "2.1", "created": "2026-06-11T23:57:51.772Z", "modified": "2026-06-11T23:57:51.772Z", "relationship_type": "related-to", "source_ref": "attack-action--c640ab9c-44db-4eb9-a73d-8cfcafb0d844", "target_ref": "infrastructure--7d02f022-e5dd-461a-b17b-ee25fb34304c" } ] }