Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining

    justmattgBy justmattgJune 1, 2023No Comments2 Mins Read

    [ad_1]

    May 31, 2023Ravie LakshmananServer Security / Cryptocurrency

    Apache NiFi

    A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement.

    The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023.

    “Persistence is achieved via timed processors or entries to cron,” said Dr. Johannes Ullrich, dean of research for SANS Technology Institute. “The attack script is not saved to the system. The attack scripts are kept in memory only.”

    A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the “/var/log/syslog” file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server.

    It’s worth pointing out that Kinsing has a track record of leveraging publicly disclosed vulnerabilities in publicly accessible web applications to carry out its attacks.

    In September 2022, Trend Micro detailed an identical attack chain that utilized old Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver the cryptocurrency mining malware.

    UPCOMING WEBINAR

    Zero Trust + Deception: Learn How to Outsmart Attackers!

    Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

    Save My Seat!

    Select attacks mounted by the same threat actor against exposed NiFi servers also entail the execution of a second shell script that’s designed to collect SSH keys from the infected host to connect to other systems within the victim’s organization.

    A notable indicator of the ongoing campaign is that the actual attack and scanning activities are carried out via the IP address 109.207.200[.]43 against port 8080 and port 8443/TCP.

    “Due to its use as a data processing platform, NiFi servers often have access to business-critical data,” SANS ISC said. “NiFi servers are likely attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if the NiFi server is not secured.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleInvestment May Be Down, but Cybersecurity Remains a Hot Sector
    Next Article Malicious PyPI Packages Using Compiled Python Code to Bypass Detection
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑