• Fri. May 24th, 2024

Attackers Use Unsecured Apache NiFi Servers to Mine Cryptocurrencies

Avatar photo

ByHarper Stewart

Jul 9, 2023
Apache NiFi exploited for cryptocurrency mining
Harper Stewart
Latest posts by Harper Stewart (see all)

Why do network administrators let everyone access their servers without a password?

A persistent campaign of server infection and search has been uncovered by experts from the WITHOUT Internet Storm Center (ISC).

There is no password or other form of security for ApacheNiFi. The attackers want to set up a covert cryptocurrency miner on the servers and distribute it to more systems within the company.

A platform for real-time data processing and delivery is Apache NiFi. It enables you to automate the transfer of data from one location to another. According to the experts, Apache NiFi servers are appealing targets for attackers because they frequently have access to vital company data and possess powerful computational capabilities.

As it turns out, the attackers send HTTP requests to the “/nifi” URL while searching the Internet for Apache NiFi servers that have port 8080 or 8443/TCP open. They run a malicious script on the server if it does not require authentication; this script is loaded into temporary memory rather than being stored to disk.

In addition to downloading and running the Kinsing malware from a remote server, the script also deletes the /var/log/syslog file, turns off the firewall, stops any competing bitcoin miners, if any, and disables the firewall. Famous bitcoin miner Kinsing last year launched assaults using holes in web apps and Oracle WebLogic Server.

In other instances, the attackers additionally execute a second script that gathers SSH keys from the affected host and tries to connect to more systems within the company.

The IP address “109.207.200.43” from which assaults and scanning are conducted is the primary sign of compromise.

If the NiFi server is not protected, experts from SANS ISC warn that the attack is very straightforward. It goes without saying that administrators should examine their Apache NiFi servers for passwords or other security measures. It is necessary to set them up if there are no such basic safety precautions.

 
Avatar photo

Harper Stewart

With a deep understanding of the complexities of the Dark Web, Harper curates informative and thought-provoking content for our readers. Her knowledge of the hidden corners of the internet and cybersecurity helps shed light on the often mysterious and illicit activities that take place in this realm.