Security News > 2023 > May > Someone is roping Apache NiFi servers into a cryptomining botnet

Someone is roping Apache NiFi servers into a cryptomining botnet
2023-05-31 13:49

If you're running an Apache NiFi instance exposed on the internet and you have not secured access to it, the underlying host may already be covertly cryptomining on someone else's behalf.

"Routers make bad cryptomining servers. Cryptomining may be what they end up doing if the lateral movement doesn't get them anywhere."

How many unsecured Apache NiFi instances are there?

"Due to its use as a data processing platform, NiFi servers often have access to business-critical data. NiFi presents an attractive target for anyone who wants to steal, modify or delete the data," he says.

SANS ISC has provided the malicious scripts and indicators that point to compromise: malicious cron jobs for persistence, odd processors in the NiFi configuration, IP addresses, and hashes of the scripts and the cryptominer.

In general Apache NiFi instances should not be internet-facing and access to them should be properly secured.


News URL

https://www.helpnetsecurity.com/2023/05/31/apache-nifi-cryptomining/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 281 13 549 713 367 1642