Headline
Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining
A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement. The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023. “Persistence is achieved via timed processors or entries to cron,” said Dr.
Server Security / Cryptocurrency
A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement.
The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023.
“Persistence is achieved via timed processors or entries to cron,” said Dr. Johannes Ullrich, dean of research for SANS Technology Institute. “The attack script is not saved to the system. The attack scripts are kept in memory only.”
A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the “/var/log/syslog” file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server.
It’s worth pointing out that Kinsing has a track record of leveraging publicly disclosed vulnerabilities in publicly accessible web applications to carry out its attacks.
In September 2022, Trend Micro detailed an identical attack chain that utilized old Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver the cryptocurrency mining malware.
UPCOMING WEBINAR
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
Save My Seat!
Select attacks mounted by the same threat actor against exposed NiFi servers also entail the execution of a second shell script that’s designed to collect SSH keys from the infected host to connect to other systems within the victim’s organization.
A notable indicator of the ongoing campaign is that the actual attack and scanning activities are carried out via the IP address 109.207.200[.]43 against port 8080 and port 8443/TCP.
“Due to its use as a data processing platform, NiFi servers often have access to business-critical data,” SANS ISC said. “NiFi servers are likely attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if the NiFi server is not secured.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
By Deeba Ahmed The 8220 gang, believed to be of Chinese origins, was first identified in 2017 by Cisco Talos when they targeted Drupal, Hadoop YARN, and Apache Struts2 applications for propagating cryptojacking malware. This is a post from HackRead.com Read the original post: 8220 Gang Targets Telecom and Healthcare in Global Cryptojacking Attack
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's
The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. "This vulnerability allows remote authenticated
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated
The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments.
The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments.
Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware. Cybersecurity company Trend Micro said it found the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).