A financially motivated threat actor is actively targeting unprotected Apache NiFi instances to secretly install cryptocurrency mining software and facilitate lateral movement, according to the SANS Internet Storm Center (ISC).
The ISC detected a surge in HTTP requests for “/nifi” on May 19, 2023. The attacker achieves persistence through timed processors or cron entries and stores attack scripts solely in memory, ensuring they are not saved to the system.
Through a honeypot setup, the ISC discovered that the initial attack involves dropping a shell script that removes crucial files, disables firewalls, terminates competing crypto-mining tools, and then proceeds to download and launch the Kinsing malware from a remote server.
Kinsing has a history of exploiting publicly disclosed vulnerabilities in publicly accessible web applications. In previous attacks, the threat actor behind Kinsing also employs a second shell script to collect SSH keys from infected hosts, enabling access to other systems within the victim’s organization.
The ongoing campaign is characterized by attack and scanning activities originating from the IP address 109.207.200[.]43 targeting port 8080 and port 8443/TCP. SANS ISC points out that Apache NiFi servers are attractive targets due to their use as data processing platforms with access to business-critical data.
Additionally, these servers are often equipped with larger CPUs for data transformation tasks, making them more appealing to attackers. The severity of the attack is amplified when NiFi servers lack proper security measures, making them vulnerable to exploitation.
