HQ/EMEAFind out how we can help your business
Researchers revealed that an alleged financially motivated threat group is searching the internet for exposed Apache NiFi instances to install a cryptocurrency miner. Moreover, the campaign includes a discreet lateral movement on the targeted network.
These findings came to light after a cybersecurity researcher detected an alleged surge of HTTP requests for /nifi earlier this month. According to initial reports, the threat actors could establish persistence through timed processors or entries to cron. In addition, the analysis noticed that the attack did not save the script to the system. Instead, the malicious campaign kept the attack scripts in memory only.
A honeypot setup enabled the researchers to determine that the attackers weaponised the initial foothold to drop a shell script that deletes the “/var/log/syslog” file, deactivates the firewall, and stops competing crypto-mining tools before downloading and deploying the Kinsing malware from a remote attacker-controlled server.
The researchers have also emphasised that the utilised malware strain for this cryptocurrency mining campaign has a track record of exploiting publicly available flaws in well-known accessible web apps to execute its attacks.
The current exploitation of NiFi instances is not the only process that allowed the threat actors to execute cryptomining attacks for the past months.
Late last year, a threat analysis revealed that old Oracle WebLogic Server flaws, like the NiFi instances, have enabled a malicious group to deploy cryptomining malware.
Several attacks executed by the same group have also been the culprit in abusing exposed NiFi servers. The ongoing campaign could run a second shell script to collect SSH keys from the compromised host to connect to other systems within the victim’s organisation.
As of now, the researchers have a significant indicator for the campaign. The actual attack and scanning activities came from the IP address 109.207.200.43 against port 8080 and port 8443/TCP.
Cybersecurity experts claimed that the NiFi servers had been an attractive target since they have been configured with larger CPUs to hold data transformation missions. Therefore, organisations that run on NiFi instances should watch out for these campaigns.
