Security News > 2023 > May > Someone is roping Apache NiFi servers into a cryptomining botnet
If you're running an Apache NiFi instance exposed on the internet and you have not secured access to it, the underlying host may already be covertly cryptomining on someone else's behalf.
"Routers make bad cryptomining servers. Cryptomining may be what they end up doing if the lateral movement doesn't get them anywhere."
How many unsecured Apache NiFi instances are there?
"Due to its use as a data processing platform, NiFi servers often have access to business-critical data. NiFi presents an attractive target for anyone who wants to steal, modify or delete the data," he says.
SANS ISC has provided the malicious scripts and indicators that point to compromise: malicious cron jobs for persistence, odd processors in the NiFi configuration, IP addresses, and hashes of the scripts and the cryptominer.
In general Apache NiFi instances should not be internet-facing and access to them should be properly secured.
News URL
https://www.helpnetsecurity.com/2023/05/31/apache-nifi-cryptomining/