Credit: Toitū Te Whenua Land Information New Zealand
A Land Information NZ cloud service was breached and became home to a rogue bitcoin mining operation, the operator of New Zealand’s property register has told Parliament.
LINZ IT staff detected an increase in the usage of an underlying public cloud service in the year ended 30 June 2021, the agency told the primary production committee as part of its annual review.
“Within 24 hours of the beginning of the breach, an investigation found a compromise in a third party application configuration which had allowed an external party access,” LINZ reported.
“No data breach occurred as the unauthorised access was running a process doing bitcoin mining to use the infrastructure capacity (processor and memory) and not to access any data that was on the server.”
The ‘Cryptojacking’ operation was shut down within 24 hours of being detected, and the system configuration was changed to block access.
LINZ reported the breach to the National Cyber Security Centre (NCSC) and a report was commissioned from a third-party IT security expert.
In November, Google issued a warning that cyber hackers were using compromised cloud accounts to mine cryptocurrency. The company said 86 per cent of compromised Google Cloud instances were used to perform cryptocurrency mining, which requires massive computing resources.
Three-quarters of the cloud hacks took advantage of poor customer security or vulnerable third-party software, Google reported, recommending cloud customers use two-factor authentication on top of a user name and password.
That same month, US IT security company Zscaler warned there is a strong incentive to steal computing time due to the compute-intensive nature of mining.
“Our researchers at ThreatLabz have detailed how malicious actors are using end users’ devices to mine cryptocurrencies,” Zscaler engineer Rob Bolton wrote. “One method involves using JavaScript in the browser to perform the mining, most often without the user’s knowledge or consent.
However, there were other avenues for the exploitation of cloud services, Bolton warned.
“The rapid adoption and exploding array of services and associated configuration options have led to insecure cloud deployments, and malicious actors have taken notice.”
A cryptomining worm from the group TeamTNT was detected spreading through AWS, for instance. The worm harvested credentials and then deployed software to mine the Monero cryptocurrency.
It is not the first time bitcoin miners used LINZ’ resources. A note in its report said in a previous financial year an unauthorised mining script was found to be running on a non-production database, used for user acceptance testing and was stopped.
Also during the 2021 year a LINZ server, used to host public datasets, experienced a large number of username and password attempts.
“This is not an uncommon event; however one attempt was successful at gaining access to the server,” the agency reported.
“Due to the small amount of data transferred during this breach (<4Mb), this was likely to be an automated bot that marked the server for potential future access attempts.”
LINZ shut down the server within 24 hours, preventing any further breaches, and notified authorities.
LINZ is also working on a five-year programme to modernise and rebuild Landonline, the technology system that underpins private property rights by providing a record of land ownership and property boundaries.
New functionality is being introduced as the rebuild proceeds, with an initial focus on customer service enhancements, LINZ told the committee. In February 2021, for instance, a public search function went live at a total cost of $2.8 million.
LINZ also released two new property transaction notification services at a cost of $7.6 million: notice of change of ownership and notice to mortgagee.
The programme’s total capital expenditure as of 30 June 2021 was $33.4 million out of a total budgeted cost of $128 million. In late 2018 it appeared LINZ had selected AWS as its primary cloud platform.
Reseller News has requested the report LINZ commissioned on the cryptojacking breach.
