A financially motivated risk actor is actively scouring the web for unprotected Apache NiFi cases to covertly set up a cryptocurrency miner and facilitate lateral motion.
The findings come from the SANS Web Storm Middle (ISC), which detected a spike in HTTP requests for “/nifi” on Might 19, 2023.
“Persistence is achieved by way of timed processors or entries to cron,” mentioned Dr. Johannes Ullrich, dean of analysis for SANS Know-how Institute. “The assault script shouldn’t be saved to the system. The assault scripts are saved in reminiscence solely.”
A honeypot setup allowed the ISC to find out that the preliminary foothold is weaponized to drop a shell script that removes the “/var/log/syslog” file, disables the firewall, and terminates competing crypto-mining instruments, earlier than downloading and launching the Kinsing malware from a distant server.
It is price mentioning that Kinsing has a observe document of leveraging publicly disclosed vulnerabilities in publicly accessible internet purposes to hold out its assaults.
In September 2022, Development Micro detailed an an identical assault chain that utilized outdated Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to ship the cryptocurrency mining malware.
Zero Belief + Deception: Be taught The way to Outsmart Attackers!
Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be part of our insightful webinar!
Choose assaults mounted by the identical risk actor towards uncovered NiFi servers additionally entail the execution of a second shell script that is designed to gather SSH keys from the contaminated host to hook up with different programs throughout the sufferer’s group.
A notable indicator of the continuing marketing campaign is that the precise assault and scanning actions are carried out by way of the IP deal with 109.207.200[.]43 towards port 8080 and port 8443/TCP.
“Resulting from its use as a knowledge processing platform, NiFi servers usually have entry to business-critical information,” SANS ISC mentioned. “NiFi servers are possible enticing targets as they’re configured with bigger CPUs to assist information transformation duties. The assault is trivial if the NiFi server shouldn’t be secured.”