Cybercriminals Target Apache NiFi Instances for Cryptocurrency Mining

May 31, 2023Ravie LakshmananServer Security / Crypto Currency

Financially motivated threat actors are actively scouring the internet for protection Apache NiFi example to install cryptocurrency miners covertly and facilitate lateral movement.

This finding comes from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023.

“Persistence is achieved via timed processors or entries to cron,” said Dr Johannes Ullrich, dean of research for the SANS Institute of Technology. “Attack scripts are not saved to the system. Attack scripts are only stored in memory.”

Honeypot settings allow the ISC to determine that the initial foothold is armed to drop shell scripts that delete the “/var/log/syslog” file, disable firewalls, and stop competing crypto mining tools, before downloading and launching Kinsing malware from a remote server.

It’s worth pointing out kinsing have a track record leverages publicly disclosed vulnerabilities in publicly accessible web applications to carry out its attacks.

In September 2022, Trend Micro detailed an identical attack chain that used legacy Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver cryptocurrency mining malware.

Select attacks mounted by the same threat actor against exposed NiFi servers also require executing a second shell script designed to collect SSH keys from infected hosts to connect to other systems within the victim organization.

An important indicator of the ongoing campaign is that the actual attack and scanning activity is carried out via IP address 109.207.200(.)43 against port 8080 and port 8443/TCP.

“Because of their use as a data processing platform, NiFi servers often have access to business critical data,” said SANS ISC. “NiFi servers are likely to be attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if NiFi servers are not secured.”