According to the SANS Internet Storm Center (ISC), there has been an increase in HTTP requests for "/nifi" on May 19, indicating that a threat actor driven by financial motives is actively searching the internet for vulnerable Apache NiFi instances. Their objective is to discreetly install a cryptocurrency miner and enable lateral movement.
Diving into details
Persistence is established through scheduled processors or cron entries. The attack script is not stored on the system but rather maintained solely in memory.
- The initial entry point is utilized to deploy a shell script that eradicates the "/var/log/syslog" file, deactivates the firewall, and terminates rival crypto-mining tools.
- Following this, the script proceeds to retrieve and initiate the Kinsing malware from a remote server. Additionally, the same malicious actor made a few attempts to execute an alternative script, spre.sh, with the aim of obtaining SSH keys from the compromised host to gain access to other systems within the victim's organization.
- An identifiable sign of the ongoing campaign involves the utilization of the IP address 109.207.200[.]43 to carry out the actual attack and scanning operations on port 8080 and port 8443/TCP.
Why Kinsing?
Kinsing is known for exploiting vulnerabilities that have been publicly disclosed in web applications that are accessible to the public. This enables the group to execute its attacks effectively.
- In January, Kinsing operators were found using vulnerable software images and misconfigurations in PostgreSQL to gain initial access to Kubernetes environments.
- The attackers scanned for open default WebLogic port 7001 to execute a shell command and run the malware.
- Vulnerable container images allow remote code execution, enabling hackers to deploy malware, ultimately leading to cryptojacking.
The bottom line
According to SANS ISC, NiFi servers are frequently granted access to crucial business data due to their role as data processing platforms. These servers are enticing targets due to their configuration with powerful CPUs, specifically designed to handle data transformation tasks. Users are advised to immediately secure their NiFi server.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/977f_shutterstock_2103328010.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/fda2_shutterstock_2214544335.jpg)
