May 31, 2023Ravi LakshmananServer Security/Cryptocurrency

Financially motivated attackers are actively scouring the Internet for unprotected information. Apache NiFi instance It secretly installs cryptocurrency miners and facilitates lateral movement.

This finding comes from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests to “/nifi” on May 19, 2023.

“Persistence is achieved through timed processors or entries in cron.” Said Dr. Johannes Ulrich, Research Director, SANS Technology Institute. “Attack scripts are not stored on the system. Attack scripts are stored only in memory.”

The honeypot configuration causes ISC to open a shell where the first scaffold deletes the “/var/log/syslog” file, disables firewalls, and exits competing crypto-mining tools before downloading and launching Kinsing. I was able to determine that it was weaponized to drop scripts. Malware from remote servers.

it is worth pointing out Kingsing there is achievement The act of exploiting publicly disclosed vulnerabilities in publicly accessible web applications to carry out attacks.

In September 2022, Trend Micro detailed an identical attack chain that leveraged older flaws in Oracle WebLogic Server (CVE-2020-14882 and CVE-2020-14883) to distribute cryptocurrency mining malware.

upcoming webinars

Zero Trust + Deception: Learn How to Outsmart Attackers!

See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!

Reserve your seat!

A selective attack launched by the same threat actor against a public NiFi server was designed to harvest SSH keys from infected hosts in order to connect to other systems within the victim’s organization2. It also entails executing a second shell script.

A notable indicator of the ongoing campaign is the actual attack and scanning activity being conducted via IP address 109.207.200.[.]43 for port 8080 and port 8443/TCP.

“Being used as a data processing platform, NiFi servers often access business-critical data,” said SANS ISC. “NiFi servers can be attractive targets because they are configured with larger CPUs to support data conversion tasks. NiFi servers are not secure. ”

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog