April 18, 2024

Could 31, 2023Ravie LakshmananServer Safety / Cryptocurrency

Apache NiFi

A financially motivated risk actor is actively scouring the web for unprotected Apache NiFi instances to covertly set up a cryptocurrency miner and facilitate lateral motion.

The findings come from the SANS Web Storm Middle (ISC), which detected a spike in HTTP requests for “/nifi” on Could 19, 2023.

“Persistence is achieved by way of timed processors or entries to cron,” said Dr. Johannes Ullrich, dean of analysis for SANS Expertise Institute. “The assault script is just not saved to the system. The assault scripts are saved in reminiscence solely.”

A honeypot setup allowed the ISC to find out that the preliminary foothold is weaponized to drop a shell script that removes the “/var/log/syslog” file, disables the firewall, and terminates competing crypto-mining instruments, earlier than downloading and launching the Kinsing malware from a distant server.

It is price declaring that Kinsing has a track record of leveraging publicly disclosed vulnerabilities in publicly accessible internet functions to hold out its assaults.

In September 2022, Pattern Micro detailed an an identical assault chain that utilized previous Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to ship the cryptocurrency mining malware.

UPCOMING WEBINAR

Zero Belief + Deception: Study How one can Outsmart Attackers!

Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be part of our insightful webinar!

Save My Seat!

Choose assaults mounted by the identical risk actor in opposition to uncovered NiFi servers additionally entail the execution of a second shell script that is designed to gather SSH keys from the contaminated host to hook up with different techniques throughout the sufferer’s group.

A notable indicator of the continuing marketing campaign is that the precise assault and scanning actions are carried out by way of the IP handle 109.207.200[.]43 in opposition to port 8080 and port 8443/TCP.

“Because of its use as an information processing platform, NiFi servers usually have entry to business-critical information,” SANS ISC mentioned. “NiFi servers are seemingly engaging targets as they’re configured with bigger CPUs to help information transformation duties. The assault is trivial if the NiFi server is not secured.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.