Threat actors are scouring the internet for unprotected instances of Apache NiFi, to steal server credentials and install cryptominers, warns the SANS Institute.
“An attacker for such a misconfigured system can access all the data processed by NiFi and read/modify/delete the NiFi configuration,” Johannes Ullrich, the cyber training organization’s director of research, said today in a blog.
To protect IT infrastructure, he bluntly said, “RTFM,” which is short for “read the f***ing manual.”
“The NiFi documentation clearly describes the simple process of setting a password,” he said. “NiFi should probably not be exposed to the internet.”
NiFi, a Java program that runs within a Java virtual machine on a server, is often used to manipulate data in enterprises. It can read data from various sources and write to destinations like cloud storage, databases, etc. Recently, NiFi has become popular for preparing data for machine learning.
The warning comes after the institute’s distributed sensor network detected a notable spike in requests for “/nifi” on May 19. To investigate further, Ullrich said in an email to IT World Canada, researchers instructed a subset of SANS internet sensors to forward requests to an actual Apache NiFi instance in its honeypot. The honeypot used a current version of Nifi in its default configuration. “It took only a couple of hours for the honeypot to be completely compromised,” said Ullrich.
Attackers used a feature called “Processors.” Processors in NiFi are scripts that a user may upload to modify data, and are a straightforward method to execute arbitrary code on a server. Without authentication, an attacker needs to upload the code, and the server will run it on a schedule provided by the attacker.
The institute saw two main types of attack:
— Cryptominers: The attacker installed a cryptominer. NiFi servers are likely attractive targets, as they are configured with larger CPUs to support data transformation tasks;
— Lateral Movements: The same attacker attempted to harvest data from exposed servers and used it to attack other servers that have a trust relationship with the victim. This could be used to attack other servers within the same organization.
One actor stood out by sourcing most of the attacks. The IP address the attacks originated from is in Hong Kong, but most of their attack infrastructure is located in Russia.
Organizations should refrain from exposing NiFi to the internet and follow NiFi’s documentation to secure the instance correctly, said Ullrich. “We found several open, unsecured instances. Many of them are hosted with cloud providers like, for example, Azure.”
