Cybercriminals Target Apache NiFi Instances for Cryptocurrency Mining


May 31, 2023Ravie LakshmananServer Security / Crypto Currency

Apache NiFi

Financially motivated threat actors are actively scouring the internet for protection Apache NiFi example to install cryptocurrency miners covertly and facilitate lateral movement.

This finding comes from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023.

“Persistence is achieved via timed processors or entries to cron,” said Dr Johannes Ullrich, dean of research for the SANS Institute of Technology. “Attack scripts are not saved to the system. Attack scripts are only stored in memory.”

Honeypot settings allow the ISC to determine that the initial foothold is armed to drop shell scripts that delete the “/var/log/syslog” file, disable firewalls, and stop competing crypto mining tools, before downloading and launching Kinsing malware from a remote server.

It’s worth pointing out kinsing have a track record leverages publicly disclosed vulnerabilities in publicly accessible web applications to carry out its attacks.

In September 2022, Trend Micro detailed an identical attack chain that used legacy Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver cryptocurrency mining malware.


Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Select attacks mounted by the same threat actor against exposed NiFi servers also require executing a second shell script designed to collect SSH keys from infected hosts to connect to other systems within the victim organization.

An important indicator of the ongoing campaign is that the actual attack and scanning activity is carried out via IP address 109.207.200(.)43 against port 8080 and port 8443/TCP.

“Because of their use as a data processing platform, NiFi servers often have access to business critical data,” said SANS ISC. “NiFi servers are likely to be attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if NiFi servers are not secured.”

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button