Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining
A
financially
motivated
threat
actor
is
actively
scouring
the
internet
for
unprotected
Apache
NiFi
instances
to
covertly
install
a
cryptocurrency
miner
and
facilitate
lateral
movement.
The
findings
come
from
the
SANS
Internet
Storm
Center
(ISC),
which
detected
a
spike
in
HTTP
requests
for
“/nifi”
on
May
19,
2023.
“Persistence
is
achieved
via
timed
processors
or
entries
to
cron,”
said
Dr.
Johannes
Ullrich,
dean
of
research
for
SANS
Technology
Institute.
“The
attack
script
is
not
saved
to
the
system.
The
attack
scripts
are
kept
in
memory
only.”
A
honeypot
setup
allowed
the
ISC
to
determine
that
the
initial
foothold
is
weaponized
to
drop
a
shell
script
that
removes
the
“/var/log/syslog”
file,
disables
the
firewall,
and
terminates
competing
crypto-mining
tools,
before
downloading
and
launching
the
Kinsing
malware
from
a
remote
server.
It’s
worth
pointing
out
that
Kinsing
has
a
track
record
of
leveraging
publicly
disclosed
vulnerabilities
in
publicly
accessible
web
applications
to
carry
out
its
attacks.
In
September
2022,
Trend
Micro
detailed
an
identical
attack
chain
that
utilized
old
Oracle
WebLogic
Server
flaws
(CVE-2020-14882
and
CVE-2020-14883)
to
deliver
the
cryptocurrency
mining
malware.
UPCOMING
WEBINAR
Zero
Trust
+
Deception:
Learn
How
to
Outsmart
Attackers!
Discover
how
Deception
can
detect
advanced
threats,
stop
lateral
movement,
and
enhance
your
Zero
Trust
strategy.
Join
our
insightful
webinar!
Select
attacks
mounted
by
the
same
threat
actor
against
exposed
NiFi
servers
also
entail
the
execution
of
a
second
shell
script
that’s
designed
to
collect
SSH
keys
from
the
infected
host
to
connect
to
other
systems
within
the
victim’s
organization.
A
notable
indicator
of
the
ongoing
campaign
is
that
the
actual
attack
and
scanning
activities
are
carried
out
via
the
IP
address
109.207.200[.]43
against
port
8080
and
port
8443/TCP.
“Due
to
its
use
as
a
data
processing
platform,
NiFi
servers
often
have
access
to
business-critical
data,”
SANS
ISC
said.
“NiFi
servers
are
likely
attractive
targets
as
they
are
configured
with
larger
CPUs
to
support
data
transformation
tasks.
The
attack
is
trivial
if
the
NiFi
server
is
not
secured.”