Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining

12 months ago AndyC

May
31,
2023Ravie
LakshmananServer
Security
/
Cryptocurrency

A
financially
motivated
threat
actor
is
actively
scouring
the
internet
for
unprotected

Apache
NiFi
instances
to
covertly
install
a
cryptocurrency
miner
and
facilitate
lateral
move

Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining



May
31,
2023Ravie
LakshmananServer
Security
/
Cryptocurrency


Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining

A
financially
motivated
threat
actor
is
actively
scouring
the
internet
for
unprotected

Apache
NiFi
instances
to
covertly
install
a
cryptocurrency
miner
and
facilitate
lateral
movement.

The
findings
come
from
the
SANS
Internet
Storm
Center
(ISC),
which
detected
a
spike
in
HTTP
requests
for
“/nifi”
on
May
19,
2023.

“Persistence
is
achieved
via
timed
processors
or
entries
to
cron,”

said
Dr.
Johannes
Ullrich,
dean
of
research
for
SANS
Technology
Institute.
“The
attack
script
is
not
saved
to
the
system.
The
attack
scripts
are
kept
in
memory
only.”

A
honeypot
setup
allowed
the
ISC
to
determine
that
the
initial
foothold
is
weaponized
to
drop
a
shell
script
that
removes
the
“/var/log/syslog”
file,
disables
the
firewall,
and
terminates
competing
crypto-mining
tools,
before
downloading
and
launching
the
Kinsing
malware
from
a
remote
server.

It’s
worth
pointing
out
that

Kinsing
has
a

track
record
of

leveraging
publicly
disclosed
vulnerabilities
in
publicly
accessible
web
applications
to
carry
out
its
attacks.

In
September
2022,
Trend
Micro
detailed
an

identical
attack
chain
that
utilized
old
Oracle
WebLogic
Server
flaws
(CVE-2020-14882
and
CVE-2020-14883)
to
deliver
the
cryptocurrency
mining
malware.


UPCOMING
WEBINAR

Zero
Trust
+
Deception:
Learn
How
to
Outsmart
Attackers!

Discover
how
Deception
can
detect
advanced
threats,
stop
lateral
movement,
and
enhance
your
Zero
Trust
strategy.
Join
our
insightful
webinar!

Save
My
Seat!

Select
attacks
mounted
by
the
same
threat
actor
against
exposed
NiFi
servers
also
entail
the
execution
of
a
second
shell
script
that’s
designed
to
collect
SSH
keys
from
the
infected
host
to
connect
to
other
systems
within
the
victim’s
organization.

A
notable
indicator
of
the
ongoing
campaign
is
that
the
actual
attack
and
scanning
activities
are
carried
out
via
the
IP
address
109.207.200[.]43
against
port
8080
and
port
8443/TCP.

“Due
to
its
use
as
a
data
processing
platform,
NiFi
servers
often
have
access
to
business-critical
data,”
SANS
ISC
said.
“NiFi
servers
are
likely
attractive
targets
as
they
are
configured
with
larger
CPUs
to
support
data
transformation
tasks.
The
attack
is
trivial
if
the

NiFi
server
is
not
secured.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

39 mins ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

39 mins ago AndyC
Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

2 days ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

2 days ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

2 days ago AndyC
Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

2 days ago AndyC

You may have missed

Security Affairs newsletter Round 472 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 472 by Pierluigi Paganini – INTERNATIONAL EDITION

34 mins ago AndyC
North Korean Kimsuky used a new Linux backdoor in recent attacks

North Korean Kimsuky used a new Linux backdoor in recent attacks

34 mins ago AndyC
AI's Energy Appetite: Challenges for Our Future Electricity Supply

AI’s Energy Appetite: Challenges for Our Future Electricity Supply

34 mins ago AndyC
Chinese Nationals Arrested for Laundering Million in Pig Butchering Crypto Scam

Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

39 mins ago AndyC
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

39 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.