Hackers hunting for exposed Apache NiFi, warns SANS Institute

Share post:

Threat actors are scouring the internet for unprotected instances of Apache NiFi, to steal  server credentials and install cryptominers, warns the SANS Institute.

“An attacker for such a misconfigured system can access all the data processed by NiFi and read/modify/delete the NiFi configuration,” Johannes Ullrich, the cyber training organization’s director of research, said today in a blog.

To protect IT infrastructure, he bluntly said, “RTFM,” which is short for “read the f***ing manual.”

“The NiFi documentation clearly describes the simple process of setting a password,” he said. “NiFi should probably not be exposed to the internet.”

NiFi, a Java program that runs within a Java virtual machine on a server, is often used to manipulate data in enterprises. It can read data from various sources and write to destinations like cloud storage, databases, etc. Recently, NiFi has become popular for preparing data for machine learning.

The warning comes after the institute’s distributed sensor network detected a notable spike in requests for “/nifi” on May 19. To investigate further, Ullrich said in an email to IT World Canada, researchers instructed a subset of SANS internet sensors to forward requests to an actual Apache NiFi instance in its honeypot. The honeypot used a current version of Nifi in its default configuration. “It took only a couple of hours for the honeypot to be completely compromised,” said Ullrich.

Attackers used a feature called “Processors.” Processors in NiFi are scripts that a user may upload to modify data, and are a straightforward method to execute arbitrary code on a server. Without authentication, an attacker needs to upload the code, and the server will run it on a schedule provided by the attacker.

The institute saw two main types of attack: — Cryptominers: The attacker installed a cryptominer. NiFi servers are likely attractive targets, as they are configured with larger CPUs to support data transformation tasks; — Lateral Movements: The same attacker attempted to harvest data from exposed servers and used it to attack other servers that have a trust relationship with the victim. This could be used to attack other servers within the same organization.

One actor stood out by sourcing most of the attacks. The IP address the attacks originated from is in Hong Kong, but most of their attack infrastructure is located in Russia.

Organizations should refrain from exposing NiFi to the internet and follow NiFi’s documentation to secure the instance correctly, said Ullrich. “We found several open, unsecured instances. Many of them are hosted with cloud providers like, for example, Azure.”

The post Hackers hunting for exposed Apache NiFi, warns SANS Institute first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways