Security News > 2023 > May > Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining

A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement.

"The attack script is not saved to the system. The attack scripts are kept in memory only."

In September 2022, Trend Micro detailed an identical attack chain that utilized old Oracle WebLogic Server flaws to deliver the cryptocurrency mining malware.

Select attacks mounted by the same threat actor against exposed NiFi servers also entail the execution of a second shell script that's designed to collect SSH keys from the infected host to connect to other systems within the victim's organization.

A notable indicator of the ongoing campaign is that the actual attack and scanning activities are carried out via the IP address 109.207.200[.]43 against port 8080 and port 8443/TCP. "Due to its use as a data processing platform, NiFi servers often have access to business-critical data," SANS ISC said.

"NiFi servers are likely attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if the NiFi server is not secured."

News URL

https://thehackernews.com/2023/05/cybercriminals-targeting-apache-nifi.html