[ad_1]
A financially motivated menace actor is actively scouring the web for unprotected Apache NiFi situations to covertly set up a cryptocurrency miner and facilitate lateral motion.
The findings come from the SANS Web Storm Heart (ISC), which detected a spike in HTTP requests for “/nifi” on Might 19, 2023.
“Persistence is achieved by way of timed processors or entries to cron,” mentioned Dr. Johannes Ullrich, dean of analysis for SANS Expertise Institute. “The assault script will not be saved to the system. The assault scripts are stored in reminiscence solely.”
A honeypot setup allowed the ISC to find out that the preliminary foothold is weaponized to drop a shell script that removes the “/var/log/syslog” file, disables the firewall, and terminates competing crypto-mining instruments, earlier than downloading and launching the Kinsing malware from a distant server.
It is price stating that Kinsing has a observe report of leveraging publicly disclosed vulnerabilities in publicly accessible net purposes to hold out its assaults.
In September 2022, Development Micro detailed an equivalent assault chain that utilized outdated Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to ship the cryptocurrency mining malware.
Zero Belief + Deception: Be taught The best way to Outsmart Attackers!
Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be a part of our insightful webinar!
Choose assaults mounted by the identical menace actor towards uncovered NiFi servers additionally entail the execution of a second shell script that is designed to gather SSH keys from the contaminated host to hook up with different techniques throughout the sufferer’s group.
A notable indicator of the continued marketing campaign is that the precise assault and scanning actions are carried out by way of the IP deal with 109.207.200[.]43 towards port 8080 and port 8443/TCP.
“On account of its use as a knowledge processing platform, NiFi servers usually have entry to business-critical information,” SANS ISC mentioned. “NiFi servers are doubtless enticing targets as they’re configured with bigger CPUs to help information transformation duties. The assault is trivial if the NiFi server will not be secured.”
[ad_2]
