Financially motivated threat actors are actively scouring the internet for protection Apache NiFi example to install cryptocurrency miners covertly and facilitate lateral movement.
This finding comes from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023.
“Persistence is achieved via timed processors or entries to cron,” said Dr Johannes Ullrich, dean of research for the SANS Institute of Technology. “Attack scripts are not saved to the system. Attack scripts are only stored in memory.”
Honeypot settings allow the ISC to determine that the initial foothold is armed to drop shell scripts that delete the “/var/log/syslog” file, disable firewalls, and stop competing crypto mining tools, before downloading and launching Kinsing malware from a remote server.
In September 2022, Trend Micro detailed an identical attack chain that used legacy Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver cryptocurrency mining malware.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Select attacks mounted by the same threat actor against exposed NiFi servers also require executing a second shell script designed to collect SSH keys from infected hosts to connect to other systems within the victim organization.
An important indicator of the ongoing campaign is that the actual attack and scanning activity is carried out via IP address 109.207.200(.)43 against port 8080 and port 8443/TCP.
“Because of their use as a data processing platform, NiFi servers often have access to business critical data,” said SANS ISC. “NiFi servers are likely to be attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if NiFi servers are not secured.”