Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining

Apache NiFi

A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement.

The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023.

“Persistence is achieved via timed processors or entries to cron,” said Dr. Johannes Ullrich, dean of research for SANS Technology Institute. “The attack script is not saved to the system. The attack scripts are kept in memory only.”

A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the “/var/log/syslog” file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server.

It’s worth pointing out that Kinsing has a track record of leveraging publicly disclosed vulnerabilities in publicly accessible web applications to carry out its attacks.

In September 2022, Trend Micro detailed an identical attack chain that utilized old Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver the cryptocurrency mining malware.

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Learn, Connect, Grow

Select attacks mounted by the same threat actor against exposed NiFi servers also entail the execution of a second shell script that’s designed to collect SSH keys from the infected host to connect to other systems within the victim’s organization.

A notable indicator of the ongoing campaign is that the actual attack and scanning activities are carried out via the IP address 109.207.200[.]43 against port 8080 and port 8443/TCP.

“Due to its use as a data processing platform, NiFi servers often have access to business-critical data,” SANS ISC said. “NiFi servers are likely attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if the NiFi server is not secured.”



Original Source


 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn